Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting?

An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"

Security and shared hosting don't mix

[Giant+Electronic+Bra]

You have no idea what idiotic web applications people are running. You should ASSUME that any shared host is compromised. Don't store any unencrypted data there which is at all sensitive. Given the low cost of renting a virtual or physical host machine these days it seems there's little reason to bother with shared hosting (yes, it is cheaper, but honestly the cost of an AWS micro instance is pretty low).

The real problem is bulk shared hosting facilities just can't afford to tinker. There are often 100 or more accounts on a server, sometimes even 1000's. One stupid tweak to fix a security hole can break a LOT of scripts. These places will always prefer to just set up servers and not EVER patch them.

The ultimate observation is just that driving the cost of hosting down to $2.99 a month means doing absolutely nothing beyond what is absolutely needed to make it work. You get what you pay for.

Try responsible disclosure

[kop]

http://en.wikipedia.org/wiki/Responsible_disclosure
Contact them to agree a timeframe to patch.

Be careful!

[wmelnick]

If you live in the US, or your hosting is in the US, what you have done is technically cyber-crime. While I hate to say this, your best recourse is to move to another host and leave it all behind you. Should the hosting company start losing business because of you warning other users you could face all kinds of civil lawsuits and possibly even criminal penalties.

Re:Responsible Disclosure

[mysidia]

Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report, listing you as the offender, with possible criminal charges, for you hacking their service.

Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.

Re:Do nothing

[Zontar_Thing_From_Ve]

You absolutely cannot post the script or make any kind of public statement about the company and what it takes to get this information. The US and the UK have laws that I know of that cover hacking activities and your discovery of this problem could potentially be legally viewed as running afoul of those laws. If you live in the USA, trust me on this. You really do not want a possible fine and jail term hanging on the whims of the US jury system.