Heck, it's easier to hack these web hosts than it is to hack a Sony website .
PHP needs special configuration in order to add security on a shared web server.
There are 3 different things a web host can do to make things secure:
- They can make the server 'SuExec', which means that PHP scripts load up under the user of your own hosting account, and are constrained as such too. Believe it or not, by standard Apache servers work as a user called 'apache', shared between all hosting accounts. In other words, without SuExec any file written by PHP is shared between all hosting accounts. At ocProducts we believe all hosts should use SuExec, it is just such a basic intuitive thing to expect to happen. It's not just enough to enable SuExec though, you have to restrict access to the home directories for the different accounts so that read access is blocked between accounts (by default, read access is always there).
- They can set an 'open_basedir', to restrict PHP to only operate within the directory of the hosting account. If this is done, it is important to lock down access for PHP to run external system commands (otherwise PHP could just call up another program on the server that does not apply PHP's open_basedir restriction).
- They can set PHP 'Safe mode', which kind of overlays some access control on top of PHP. Safe mode is lame, it is a horrible workaround that causes some really weird problems and doesn't actually solve the security problem fully: the PHP team are rightly getting rid of it.
There's a simple way you can test the security without needing a full understanding of LAMP (Linux/Apache/MySQL/PHP) configurations. Here's a very simple script that you can upload (just save it as filesystem_browser.php):
if (!isset($_GET['dir'])) $_GET['dir']='.';
†if (!$h) return;
†foreach ($found as $f)
† echo '<a href="?dir='.
† † $_GET['dir'].'/'.$f.'">'.$f.'</a><br />';
Load up the script by URL, and see if it lets you browse up the filesystem and then into other hosting accounts.
The script just tests read access. Depending on the server configuration, you might have access to write any file in another user's directory that has been given '666' permission or was originally created by the web server itself. Even if you don't have write permission though, you can probe into the configuration file for the PHP software they have installed and find MySQL access details, and then you can easily install phpMyAdmin on your hosting account and give yourself full read/write access to their database.
It's scary stuff, you probably never imagined security for a website could be so poor, so please make sure you check your host is competent before putting too much faith in them.
I am not exposing any security holes in LAMP software here, but what I am exposing is how inept many web hosts are. Hosting is cheap, they often cannot afford to hire people who have a good understanding of security for a website, so be wary.
This was article 2 of 8 in my "Web industry Exposť" series of blog posts.
If you think it's good advice, please share this link with others. If you think I'm wrong or have something to say, please discuss below.