lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 14 Mar 2006 14:43:41 +0100
From: Anders Henke <anders@...lund.de>
To: bugtraq@...urityfocus.com
Subject: Re: Purple Paper: Exegesis Of Virtual Hosts Hacking


Mar 7th, unknown.pentester@...il.com wrote:
> What: Purple paper on discovery and exploitative vhost hacking techniques.
> 
> Whom (target audience): pentesters.

I've hesitated for a few days now with a reply, but this "paper" is
quite useless and gives a distorted view on dedicated and shared
hosting.

This paper gives a very simple view on common vulnerabilities
("unauthentificated administrative interface", "vulnerable scripts")
as well as a short overview on wether $some-security-company might be 
hosted on a shared or on-site server, according to some questionable
criteria ("has one dedicated IP adress") and get the conclusion that
dedicated hosting is more secure than shared hosting.

There are quite a few companies out there who do shared hosting with
dedicated IP adresses; e.g. if the hosting customer needs an SSL 
enabled web server, there's also the need for a dedicated IP adress, 
as the SSL handshake does happen long before the web server knows 
what site is about being contacted. So according to those
criteria, my personal website (hosted on a shared hosting server along 
with thousands of other users) is being seen as "dedicated", just because 
some time ago I installed a self-signed SSL certificate.

Dedicated hosting is a good idea if you do need the flexibility and
features gained by dedicated hosting, you do have the manpower and 
time to support your server and know what you're doing. 
Or in short: who takes care of your dedicated 24x7-online server when 
you're on vacation, sleeping or enjoying the weekend?

I know of at least one case where someone ordered a dedicated server 
in order to get hands on a live linux system, as he didn't fiddle 
out how to get a (recent) linux distro installed on his own 
computer.

If dedicated hosting means that oneself or some friend's 15-year-old is 
taking care of the server twice a year beside other things to do, while
your "webmaster" is installing outdated CGI and PHP-scripts, your level
of security is far less than the one of most shared hosting users.

If shared hosting means that every site has a dedicated user per site with
proper filesystem ACLs and CGIs being suexec'd under that (restrictive)
user in a chroot jail, 24x7 staff is running security audits on the
base system, upgrades and hardening on those servers, you're clearly in
much better hands. And if you do make sure that your self-installed
CGIs are secure or you pay someone to regularly audit them for you,
you're at some very high level of security.

I'm working for a company that does offer both dedicated as well as
shared hosting; in short, there is about the same amount of 
security-related issues with dedicated than with shared hosting
customers - at about a thousand times more shared hosting customers 
than dedicated hosting customers.

Out of all security incidents over the last few years, the was not
a single shared hosting incident where the vulnerability couln't be 
tracked down to a customer-installed insecure CGI/PHP script, while 
its impact was limited to the affected user's CGI execution rights
and the rogue process was killed within a few minutes, so all other 
customers on the same servers always remained secure and unaffected.

On dedicated hosting, the impact of most security issues is usually much 
higher, including privilege escalations or the host becoming a long-term 
node in a botnet or a warez trading network, sometimes even a bot herd.
Most common reasons are known insecure cgi/php script applications and 
exploits via outdated system software.

So conclusion from my point of view: shared hosting on a secured server 
has about the same level of security as a just-installed dedicated server
does offer - but it does maintain that level over a long amount of time.

Security on shared hosting does sacrifice a few "features" (like mod_php 
in favor of suexec'd CGI-PHP) and doesn't have some flexibility you might
wish for some special application, that's why some people do switch do 
dedicated servers - ok.
But you won't gain (much more likely loose) any security if you don't 
have the knowledge and manpower to run your own server or you don't 
spend the necessary time to manage your server correctly.


Regards,

Anders
-- 
Schlund + Partner AG              Systemadministration and Security
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225

Powered by blists - more mailing lists