Jump to content

Shared Hosting Security


Recommended Posts

I made an earlier post in this forum regarding a cracked .htaccess password. Since then, I believe I have learned how the password was cracked. I'll briefly explain how (without sufficient detail to make it a *how to* post), but I'd like to know if there's anything TCH can do to plug up this potential security hole?

 

Here's how it could have been done: since this student was given an FTP account on the site, he was allowed to upload files in a directory under the root folder. Apparently, the FTP account prevents him from navigating out of his assigned folder, but the files in the folder have rights to read pages located outside that directory -- in fact, even outside the public_html directory. With a little knowledge and guess work about the file structure of the site, he was able to use PHP to open and read any file on the site. Even though .htaccess files encrypt passwords and store them in a folder outside the public_html directory, he was able to view those files and later used a cracking program to discover the password.

 

Using *strong* passwords makes such a task far more difficult (perhaps even impossible) for anyone to learn the password in this fashion. However, the security risk remains. In a non shared environment, this wouldn't be possible (I'm told). So I'm wondering if either TCH or I can do anything to restrict file access as described above?

 

I was also told that, in some shared hosting environments, the same sort of vulnerability exists between web sites located on the same server. Any truth to this?

 

Any help and/or suggestions will be appreciated. Thanks!

Link to post
Share on other sites

Charp,

 

With any shared hosting service there is always a risk. While we at TCH do everything we can do short of Locking down the systems and only selling Dedicated services to customers, (even dedicated servers get cracked too) it is outside our control when you give users access to your sites files.

 

As in this post and the previous post suggested using STRONG passwords is part of the resolution. The Bigger part is Knowing Who you are giving access to and whether or not you trust them.

 

Could a hacker sit and spend countless CPU cycles trying to crack your password ?

Sure they can, the question is how long before they give up and move on to the next person because they have a password that is a simple password like abc123.

 

Bottom Line is this... secure your information with Strong passwords and restrict the access to those individuals you find trustworthy.

Would it be possible to lock it down so that this was not possible?

sure, but are you willing to have your scripts and applications not work at all ?

security and functionality have to have a balance.

Hope this helps

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...