Vulnerability on the virtual hosting infobox
Not so long ago, he became a client of infobox company by purchasing a “virtual hosting” service from them.
Immediately get down to business. Found on this hosting a pretty serious vulnerability, which was immediately reported to tech support.
This vulnerability allows obtaining session identifiers if:
1. The site uses regular php tools to support sessions.
2. The site is located on the infobox server to which you have access (i.e., where you also have shared hosting).
I will quote my dialogue with the infobox TP:
')
Total, infobox does not want to fix it. In my opinion, this vulnerability is just a cosmic scale. Especially if you have such databases: www.russian-domains.ru/ip-addresses/77.221.130.41 where you can see the list of domains on this ipaddress.
I’ll add that the server where the site is located can be found by running
So, gentlemen, webmasters, hosted on infobox, amicably changing the way in which sessions are saved. This can be done by changing the php.ini directive "session.save_path". The php.ini file (for infobox clients) is located in the root directory of ftp, which is also the user's home directory.
UPD 05.07 : this article is in no way a criticism of the infobox company and not a complaint that I am afraid for my data. This article is an incentive to think about the security of your data for those who use the virtual hosting infobox. Just think and decide - to score on it or figure out what's what.
Immediately get down to business. Found on this hosting a pretty serious vulnerability, which was immediately reported to tech support.
This vulnerability allows obtaining session identifiers if:
1. The site uses regular php tools to support sessions.
2. The site is located on the infobox server to which you have access (i.e., where you also have shared hosting).
I will quote my dialogue with the infobox TP:
')
2010-07-02 14:52:31 MSK Question from: XXX
Hello again.
Php session files are stored in the public folder / home / tmp. Thus, each hosting client can see the names of all saved sessions, as well as the hosting user to whom this session belongs. And since in most cases the name of the session file is the same as the session identifier that uses php, you can go to a foreign website for any session from this site by changing the cookie.
For the successful operation of this unauthorized access to other sites, the only thing missing is the connection between the domain names of the client sites and the client number on the infobox.
This connection is easier to find - go to the target site, we get the session ID. It can be seen in the cookies. Next, we determine which server of the infobox is the site. If an intruder has hosting on the same server, then he can execute a script with something like this:<?php passthru('ls -la /home/tmp | grep ___'); ?><?php passthru('ls -la /home/tmp | grep ___'); ?>and find out the customer number. And then, running<?php passthru('ls -la /home/tmp | grep _'); ?><?php passthru('ls -la /home/tmp | grep _'); ?>learn all sessions.
2010-07-02 15:47:31 MSK The Leading Technical Support Officer YYY is responsible for you
Hello XXX.
Thank you for the information, it is transferred to system administrators.
We will inform you our position on this issue.
2010-07-02 15:49:08 MSK A ZZZ technical support specialist answers you.
Hello XXX.
The question is transferred to system administrators.
2010-07-02 15:56:00 MSK Leading technical support specialist YYY answers
Hello XXX.
The response to your message is as follows:
The method described by you of course theoretically works. But too many "ifs". That is, in practice, it will not work for anyone. Much depends on the implementation of authorization on the site. If you are critical to the availability of your session files to anyone - you can, in php.ini settings, hide sessions in your own home directories.
2010-07-02 15:59:34 MSK Question from: XXX
Well, that's your business, tell my business =)
I see nothing complicated in replacing / tmp with ~ / tmp in the general file php.ini
Tell me then, please, what should I do to override my own php.ini settings?
2010-07-02 16:48:27 MSK Technical support specialist YYY answers you
Hello XXX.
The php.ini file is available in the root of your FTP account.
2010-07-02 16:51:50 MSK Question from: XXX
Thank. The ticket can be closed, but think about it ... Especially if you have such databases: www.russian-domains.ru/ip-addresses/77.221.130.41 which shows which domains correspond to the IP address ...
2010-07-02 16:53:19 MSK The Leading Technical Support Specialist YYY answers you.
Hello XXX.
> Thank you. Ticket can be closed, but think about it ... Especially
> in the presence of such bases:
> www.russian-domains.ru/ip-addresses/77.221.130.41 in
> which can be seen which domains correspond to the IP address ...
Any search engine gives all sites to IP. There is nothing wrong with that. For absolute security, you can order a dedicated solution where you can change all the necessary settings by yourself.
Total, infobox does not want to fix it. In my opinion, this vulnerability is just a cosmic scale. Especially if you have such databases: www.russian-domains.ru/ip-addresses/77.221.130.41 where you can see the list of domains on this ipaddress.
I’ll add that the server where the site is located can be found by running
ping %_% and then nslookup %ip____%So, gentlemen, webmasters, hosted on infobox, amicably changing the way in which sessions are saved. This can be done by changing the php.ini directive "session.save_path". The php.ini file (for infobox clients) is located in the root directory of ftp, which is also the user's home directory.
UPD 05.07 : this article is in no way a criticism of the infobox company and not a complaint that I am afraid for my data. This article is an incentive to think about the security of your data for those who use the virtual hosting infobox. Just think and decide - to score on it or figure out what's what.
Source: https://habr.com/ru/post/98098/
All Articles