Discovered Serious Misconfiguration On Server Host

Hello everyone!
Although I have been reading things from hostballs for quite a while, this is the first time I post something, and it is security related.

So recently a guy I know asked me to help him move his site from a shared host to another shared host as his current plan was about to expire and he wasn’t 100% satisfied with their services. So after some suggestions we end up moving the site to a company I personally use to host a vps (for around 8 months) and its super stable even when its stressed.

Few weeks go by and I add another addon domain to the same hosting plan (can add up to 5) and run some scripts to check the server security.

To my surprise what I discovered other than the fact that I could run python scripts on the server’s side and pretty much burn 90% of the servers bandwidth, I can explore everyone’s paths, plus I have access to most of the other client’s databases (and can add / remove / modify pretty much anything in these databases).

I have asked the company if they happen to have a bug bounty program and sadly they dont :frowning:
How should i proceed? Has anything similar happened to you? Im obviously not going to use this info to harm others, Im just trying not to create a legal shitstorm out of nowhere.

Please give advice which I will greatly appreciate!

4 Likes

Damn, sounds juicy! This is a bit of a tough one, depending on your motive. If you offer the information to the host in return for something and they’re not interested, you could use the information to inform other users.

Personally though, I would just inform the host regardless of any reward. Though, it’s easy to say that when I’m not personally in the position haha.

2 Likes

Abuse the hell out of it.

The fact that they’re running everything under the same user or have a really awful umask should show just how security-savvy they are.

Take your friends’ shit and get away. Quickly.

All of that is also compromised, and you’re not the first person to try globbing path()."/…/".

4 Likes

Its not that everything runs under the same user on that server. Its just that each user can see directories of others if they try to. I can run things on there, just not as root. Also running certain things that are kind of cpu intensive raise my cpu usage to 100% (as indicated on cpanel), but global cpu usage of the server hasnt ever been higher than 10%. Should i just buy another plan from a different account that ill pay with btc and use it as a vps for my scripts??? :stuck_out_tongue:

I wouldn’t suggest it. Even the laziest admins will eventually notice network or slight CPU spikes; especially since they sound like they’re running CloudLinux.

Demonstrating a problem without causing issues is fine, and sometimes necessary. Taking advantage of something with full knowledge you’re abusing a service is not something I can get behind.

2 Likes

I believe i should let them know too, and eventually I will.
They do run cloudlinux.

Its just sad that they wont appreciate it as much as they should :confused:

1 Like

Weird, so they run cPanel?

They actually still do, and they haven’t made any announcements about changing it.
Who know, maybe they will announce it after (and if) they move to something cheaper

1 Like

Sounds kind of like WSGI is using a common user/setgid because of lazy admins who set a sticky bit on a filesystem because {reasons}.

Never trust anything you don’t secure yourself with any more data than you’d want to be public.

…and if you’ve got a dedi, it still doesn’t matter unless you encrypt everything, and that still doesn’t matter.

Finale approacheth.

Tricky… If you could get a trusted third party to disclose this to the hoster, it would seem to keep you out of the direct line of fire, but I assume it would be pretty easy to figure you out once somebody looks at the logs. Definitely think this over a bit and - should go without saying - move your friend off of there. Friends dont let friends stay on obviously insecure infrastructure :wink:

3 Likes

You found the problem so as long as you did not take advantage of it, then what would they accuse you of? besides of having helped them.
You could also send the information to that guy everyone loves that does security audits, sometimes even for free… he did that for the web panels not long ago.

Sorry “guy” I don’t remember your name.

I think people will often be surprised by how much they can view on a shared server. For example, /etc/passwd is usually visible (though /etc/shadow is not). Sometimes some things in /var/log are visible. There’s a lot that is normal for a privileged user to be able to access, and they can seem concerning.

However, none of that sounds relevant to your situation because:

I would run fast and far.

5 Likes

I would be glad to pass this to Steven/Patrick and investigate further while assuring you get the props. :slight_smile:

Hardly worth their time, I’d think. Doesn’t sound like the panel/sortware itself has any security holes, rather the host botched the setup or cut corners to make things “easier” for themselves.

3 Likes

Just because they don’t have a bug bounty program doesn’t mean the wouldn’t appreciate you informing them about the vulnerabilities. It’d be pretty stupid of them to take any action against you, a customer who cares about their infrastructure. But even if it is resolved, this should have you questioning if you’d like to stay with them regardless.

4 Likes

Just to bring it to their attention. I would personally tell them about the security issues.

Sec ninja / rack 911

E

IIRC Patrick

E 2 Miguel answered before.

1 Like

Thats what im thinking. It would be pretty stupid if they asked how and why I discovered it. I will let them know and update this thread when I have an official reply from them

5 Likes

@furiarts I do appreciate bad jokes more than I should sometimes - but would urge you to consider carefully that this seems to be one of those times when really better not to allow any opportunity for “misunderstanding” - as you may very well be dealing with some flavor of lamer who (as people often do) would be happy to point angry fingers in any other direction than at their own lame selves should shtf at some point.

Don’t worry about it too much - just keep things as simple as possible and move on

3 Likes