• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

How major of a security flaw is this?

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Originally posted by: spherrod
Originally posted by: TechnoPro
Originally posted by: Hyperblaze
Originally posted by: TechnoPro
Fvck, I always thought "hidden" and unlinked web content was reasonably secure... This is very disturbing.
Click to expand...

it all depends on how the security is setup. mind you, all we can do is make assumptions in this case.

but if you can ftp through people's various accounts. you might not be able to modify squat, but it IS a reasonable assumption that you can download it to your own computer.
Click to expand...

In my case, I can browse and download from all other accounts on each server. Cannot rename or delete.
Click to expand...

The fact that you can download from other accounts is a security flaw surely? Are you going to push this or just migrate your clients accounts?
Click to expand...

First, I go on vacation and forget all of this nonsense for a while.

After that, I plan on researching the validity of the providers above statement, while I push to migrate several client accounts. If, in fact, all shared hosting platforms allow access to others files (either directly or with scripts), I will be shocked.

I don't want to hurt the providers name or reputation without having first researched the underlying technology more closely, which is why I am choosing not to name names. Needless to say, though, they are a big, well-established and well-known company.
 
Obviously your provider is incompetent morons. It sounds like they were too dumb to configure permissions and manage them properly. I wouldn't trust the provider if they can't even get simple task like these in order. Being able to view other people's file is already a huge security risk, especially with PHP files that stores passwords to DB and what not. If I was in your position, I would drop the host AND the vacation and immediately try to move your client's site to another one.
 
Originally posted by: razor2025
Obviously your provider is incompetent morons. It sounds like they were too dumb to configure permissions and manage them properly. I wouldn't trust the provider if they can't even get simple task like these in order. Being able to view other people's file is already a huge security risk, especially with PHP files that stores passwords to DB and what not. If I was in your position, I would drop the host AND the vacation and immediately try to move your client's site to another one.
Click to expand...

Drop the vacation? That's crazy talk.

All sensitive files have been removed. Plans are underway to switch.
 
It used to be common to have every user using the same group, but leave the user directories group readable. They must be old school and not bothering to catch up.
 
Originally posted by: TechnoPro

First, I go on vacation and forget all of this nonsense for a while.

After that, I plan on researching the validity of the providers above statement, while I push to migrate several client accounts. If, in fact, all shared hosting platforms allow access to others files (either directly or with scripts), I will be shocked.

I don't want to hurt the providers name or reputation without having first researched the underlying technology more closely, which is why I am choosing not to name names. Needless to say, though, they are a big, well-established and well-known company.
Click to expand...

Well, now that you mentioned scripts you got me thinking - IF I knew the usernames of other users on the system, I could do something like this in php:

(note: the root directory of one of my websites would be ~username/public_html/)

fopen("../../otheruser/public_html/index.php")

And since that file is probably world readable, it would let me open it and read the contents. I'll try that on my shared hosting account tonight.

The difference in this case is that you don't have to know the other users' usernames. But if I was also able to execute an ls ../.. from one of my scripts, I could get those too.

Edit: I tried this and it seems PHP can be configured to only allow files to be opened in certain directories.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top