Mobile app version of vmapp.org
Login or Join
Deb1703797

: Stop other sites on server from being able to access other sites on server I am on a friends server and I have found a potential security flaw where I can access other sites files on the

@Deb1703797

Posted in: #Apache #Php #WebHosting

I am on a friends server and I have found a potential security flaw where I can access other sites files on the server. He says he is on a shared hosting and I am not sure yet if the other sites are his or not, he has to get back to me on that. In the meantime though I was wondering how do sites like godaddy deal with this issue? Do they put each account on the server into a sort of virtual server so you can access your other sites on your account but can not access sites on other accounts? It might be the case that his server is working properly and all the sites I can access are his sites anyway since they are under his account.

If they are all his sites then how can he prevent other sites from accessing other sites since some of them are for other peoples sites he manages for them.

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Deb1703797

3 Comments

Sorted by latest first Latest Oldest Best

 

@Samaraweera270

In my experience, shared server space usually exposes individual projects on different ports. (http://app.server.com:15432)

In your situation however, you can try messing around with the "Access-Control-Allow-Origin" headers and passing some regex as the parameter.

10% popularity Vote Up Vote Down


 

@Alves908

Generally this should not happen. I do not use a web host, but I used to be in that business and I do carve up some servers here so I have still have a hand in it.

Generally speaking, when a user creates several sites without creating a new user for each site, the one user can see all of the sites. Let say a second user is created, they can be within the same group as the first user that created the sites and have access to all the sites. This happens more times than people think. In reality, the two accounts should not be in the same group.

Typically, if I were to sell an account, that user would only have access to the web space I carve out for them. That user in turn can create users under their account that would have access to the web space created for them or can have admin access that allows more access. The safest thing that can be done is to create a user account for every website and that each website can only be accessed by that user or by the system admins which would require root access to be able to modify files settings and such.

It sounds like your friend either has goofed up, trusts you, or just does not know how to carve up and manage web space. It sounds like you have a huge security hole that needs to be plugged ASAP.

10% popularity Vote Up Vote Down


 

@Alves908

PHP it self has a security mechanism called open_basedir. From the official documentation, user will be 'jailed' on directory in his open_basedir parameter.

Most web-based hosting management (like ISPConfig) has impelemented feature to switching on/off this feature.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme