Love the photo!
Yes. What webdev hasn't once tried hacking something?Originally Posted by jscheuer1
CSS Codes
Administrator
Love the photo!
Yes. What webdev hasn't once tried hacking something?
global $Moderator;
I once decided to try and find out how serious the security problems on shared hosts could be. Now, I love programming, but I'm not really deep into security (and was far less so at the time), and I don't consider myself a hacker. I still have to use a cheat sheet for bash.
I didn't really think I'd get anywhere. But, I wrote about six lines of PHP andglob()'d my /tmp directory. This revealed three sites that happened to be on the same server I was. I had five open user sessions, plus a _complete_ database dump -a recent backup that hadn't been GC'd yet- for one of the sites (which was using wordpress). All this without actually touching anything in the sites' home directories! Conceivably, I could have written a new script to any of those three sites that would have allowed me to do literally anything I wanted, as though it were my own site.
Deleted everything. Haven't been back down that road, but you can bet I approach my PHP scripts differently now. And, I have a whole new opinion on the merits of a private server.
Global Moderator
Traq, that's worrying and interesting. But I expect that many hosts have improved security since then. If you do use a shared host, I believe it's crucial for it to be a generally trustworthy service rather than just the cheapest one you can find. Luckily with competitive prices out there, there are many choices for shared hosts so it shouldn't be too hard to find one with a good reputation (including for security) as well as a reasonable price.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
global $Moderator;
I agree that it's worrying and interesting - but no, most hosts don't do anything about it. The problem is inherent with shared servers. There are two ways to close the hole: private servers (or virtual private servers), or to configure Apache to run under a different user for each account (meaning computer user; most hosts simply run Apache as "nobody," handling all shared sites together, thereby giving all accounts the same permissions to access files [good introductory article]).
Both of these solutions are fairly easy to implement from a technical standpoint, but hosts generally consider them prohibitively expensive in terms of memory and processing power. As I'm sure you know, private servers / VPS cost quite a bit more than shared hosting. I'm not aware of any web host that runs Apache under unique users in a shared hosting setup (VPS are probably an easier/cheaper option).
As computers get bigger, stronger, and faster, we might start to see VPS start to become a new, de facto standard for generic hosting. But I'm not sure how long that will take.
Global Moderator
Huh. Well, that's new for me. I thought hosts could limit how far up (down?) the directory tree a program could navigate, that it was simply blocked to go beyond the root of the user's directory, for any user. I can see how that could not be implemented, but I'm still not sure that it's impossible to do so.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
Posting Permissions
Reply With Quote
Bookmarks