Blog for hpHosts, and whatever else I feel like writing about ....

Monday 19 April 2010

Hostek is putting their customers at risk

If you are hosting your site at Hostek.com, you are probably at a higher risk of being hacked. Why? Because they do not do the proper separation of accounts internally, so anyone can access the pages of everyone else.

How do we know that? We were helping a friend with his site over there and when we checked their permissions, we found a big (BIG) security hole on Hostek. Every PHP script is executed with the permissions of the user "nobody" (used by Apache), and every site allows the user "nobody" to access its files.

It means that any user can access the files from everyone else. Even worse, you can add and even modify the files under some circumstances.


Read more
http://blog.sucuri.net/2010/04/hostek-is-putting-their-customers-at.html

Footnote: I've just spoken to Hostek and they informed me they're aware of the issue, and it only affects one of their servers.

Sadly, they've said it's got a "special configuration" and cannot be changed (i.e. cannot be secured), so whilst they will move the sites for customers that request such, they won't do anything to close the vulnerability.


Hat tip to Holger at MDL for the heads up.

/update 20-04-2010

I've heard back from "Brian A" at Hostek, who has informed me, they've now secured the server. I'm awaiting confirmation of this from the author at securi.net.

No comments: