Announcement

Collapse
No announcement yet.

Caution: HostRocket (In)Security Issues.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Caution: HostRocket (In)Security Issues.

    Dear All,

    FYI: Hostrocket permits directory listing by default. This is a big security hole. Their admins tell me that this is their policy.

    You must add this directive in your .htaccess file in your public_html root directory:

    Code:
    Options -Indexes
    Our vB site was never hacked when it was hosted on my server (many years, since 1.something), but since moving to hostrocket (shared) has been hacked twice.

    Caution!

    Hostrocket says: "This setting was decided by our server administrators due to
    the confusion caused when a new hosting account was created
    and a "Forbidden" error message was displayed when they
    attempted to access the website. Due to the support costs
    associated with explaining the error message, a decision was
    made several years ago to set the default environment,
    permissions, and directory listing setting, to the settings
    they are currently at."

  • #2
    I don't see what the big deal about directory listing by default is?

    Comment


    • #3
      Interesting Zack,

      BEA and many other firms consider this vulnerability one of the "highest degrees of urgency" .... for example:

      http://dev2dev.bea.com/pub/advisory/37

      The net is full of explainations on why this is so critical. You can google on keywords like "directory listing" security vulnerability - if you are really interested

      Comment


      • #4
        Product(s) Affected: BEA WebLogic Server and Express Version 6.0

        That's not exactly apache, or IIS.

        I personally see no serious security issue, nor am I aware of who the BEA are.

        Comment


        • #5
          Hi Zack,

          What ups with your replies?

          The BEA example is just one example of many advisories about the risk of listing directories on web servers.

          Any net rookie can google on the risks of directory listings. I don't think I need to google for you, do I?

          Your posts show you have very little knowledge of computer security, if you think permitting directory listing are OK. You may one of a handful of people on the next who feels that way, in fact.

          BTW, the host we used to be on (on Hostrocket) has a root kit installed by hackers. Go them them that permitting directory listings is not a security issues, LOL.

          I kindly suggest you do your homework on computer security.

          (It is well known that having the ability to list directories provides a high risk avenue for hackers to view files. Many files have sensitive info, like passwords and more).
          Last edited by silkroad; Sat 16 Jun '07, 9:06am.

          Comment


          • #6
            Security though obsecurity is not security. I did google it, most of the pages I found are 2-4 years old and all of the security risks are listed as minimal. Any files that contain sensitive information that could be directly by the web for some odd reason (give plaintext/html pages) should be protected some other way. Just because directory listings are disable wont mean they cannot find another way at that page.

            Comment


            • #7
              Originally posted by Zachary
              Security though obsecurity is not security.
              I agree 110%. Just because you hide something doesn't mean it can't be found.

              silkroad, no offense, but you are a big paranoid. Granted, any person concerned with security should have some level of paranoia, but this is a bit of the chart.

              1.) Directory listing, in my opinion, is not really a security risk. If the "hacker" knows what scripts you are running on your website (e.g. vBulletin or phpBB forum), then they already have a starting point for researching exploits and vulnerabilities.

              2.) You are coming to a forum and just because someone doesn't agree with you, you decide to insult their intelligence by degrading them based on what you feel their knowledge of computer secuity should be. In fact, it's you are the one that seems to be lacking knowledge.

              Originally posted by silkroad
              BEA and many other firms consider this vulnerability one of the "highest degrees of urgency" .... for example:
              Actualy, the "Threat Level" is "Low." Can you please tell me where the "highest degree of urgency" part came in?

              3.) Once again, I agree with Zach:

              Originally posted by Zachary
              Any files that contain sensitive information that could be directly by the web for some odd reason (give plaintext/html pages) should be protected some other way.
              If it's script files, make sure the proper permissions are set. In addition, admin files or something of that nature, put in a protected directory. And of course, always keep your software up-to-date.

              The exploits that I would be concerned about would be SQL injections and related vulnerabilities. In regards to Google, yeah, you can find anything. FP exploints, type in the folder names in Google.

              Google and other search engines only pick up what you tell it to. There is a such thing as a "noindex,nofollow" tags you can use in your meta headers. If you don't want a directory to be indexed, you can create a robots.txt file to tell it what to follow and what to index.

              Comment


              • #8
                I don't know enough about this to know if that creates a problem or not but I have noticed that there is an unusually high percentage of the people, including myself who are having problems with continually being hacked who are hosted on HostRocket. I am reading this thread trying to get ideas on a new host in the hopes it might solve my problems.

                Comment


                • #9
                  Originally posted by silkroad View Post
                  (It is well known that having the ability to list directories provides a high risk avenue for hackers to view files. Many files have sensitive info, like passwords and more).
                  That's not a vulnerability due to directory listings, that's a vulnerability due to stupidity.

                  A directory listing poses no more risk than the contents of the files you have in the directory.

                  Comment


                  • #10
                    If you're worried about the security of host-rocket, don't buy them. Good lucky trying to find a host that does do no directory listing by default.

                    Vbulletin has an index.html that does the same exact thing as what you are reccommending, it forces the browser to load a blank page.

                    Xodus

                    Comment

                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...
                    X