Re: Purple Paper: Exegesis Of Virtual Hosts Hacking
Mar 7th, unknown.pentester@xxxxxxxxx wrote:
> What: Purple paper on discovery and exploitative vhost hacking techniques.
>
> Whom (target audience): pentesters.
I've hesitated for a few days now with a reply, but this "paper" is
quite useless and gives a distorted view on dedicated and shared
hosting.
This paper gives a very simple view on common vulnerabilities
("unauthentificated administrative interface", "vulnerable scripts")
as well as a short overview on wether $some-security-company might be
hosted on a shared or on-site server, according to some questionable
criteria ("has one dedicated IP adress") and get the conclusion that
dedicated hosting is more secure than shared hosting.
There are quite a few companies out there who do shared hosting with
dedicated IP adresses; e.g. if the hosting customer needs an SSL
enabled web server, there's also the need for a dedicated IP adress,
as the SSL handshake does happen long before the web server knows
what site is about being contacted. So according to those
criteria, my personal website (hosted on a shared hosting server along
with thousands of other users) is being seen as "dedicated", just because
some time ago I installed a self-signed SSL certificate.
Dedicated hosting is a good idea if you do need the flexibility and
features gained by dedicated hosting, you do have the manpower and
time to support your server and know what you're doing.
Or in short: who takes care of your dedicated 24x7-online server when
you're on vacation, sleeping or enjoying the weekend?
I know of at least one case where someone ordered a dedicated server
in order to get hands on a live linux system, as he didn't fiddle
out how to get a (recent) linux distro installed on his own
computer.
If dedicated hosting means that oneself or some friend's 15-year-old is
taking care of the server twice a year beside other things to do, while
your "webmaster" is installing outdated CGI and PHP-scripts, your level
of security is far less than the one of most shared hosting users.
If shared hosting means that every site has a dedicated user per site with
proper filesystem ACLs and CGIs being suexec'd under that (restrictive)
user in a chroot jail, 24x7 staff is running security audits on the
base system, upgrades and hardening on those servers, you're clearly in
much better hands. And if you do make sure that your self-installed
CGIs are secure or you pay someone to regularly audit them for you,
you're at some very high level of security.
I'm working for a company that does offer both dedicated as well as
shared hosting; in short, there is about the same amount of
security-related issues with dedicated than with shared hosting
customers - at about a thousand times more shared hosting customers
than dedicated hosting customers.
Out of all security incidents over the last few years, the was not
a single shared hosting incident where the vulnerability couln't be
tracked down to a customer-installed insecure CGI/PHP script, while
its impact was limited to the affected user's CGI execution rights
and the rogue process was killed within a few minutes, so all other
customers on the same servers always remained secure and unaffected.
On dedicated hosting, the impact of most security issues is usually much
higher, including privilege escalations or the host becoming a long-term
node in a botnet or a warez trading network, sometimes even a bot herd.
Most common reasons are known insecure cgi/php script applications and
exploits via outdated system software.
So conclusion from my point of view: shared hosting on a secured server
has about the same level of security as a just-installed dedicated server
does offer - but it does maintain that level over a long amount of time.
Security on shared hosting does sacrifice a few "features" (like mod_php
in favor of suexec'd CGI-PHP) and doesn't have some flexibility you might
wish for some special application, that's why some people do switch do
dedicated servers - ok.
But you won't gain (much more likely loose) any security if you don't
have the knowledge and manpower to run your own server or you don't
spend the necessary time to manage your server correctly.
Regards,
Anders
--
Schlund + Partner AG Systemadministration and Security
Brauerstrasse 48 v://49.721.91374.50
D-76135 Karlsruhe f://49.721.91374.225