Shared Hosting And Security Vulnerability

As web developers, many come to learn programming code via shared hosting. Perhaps it is a service provided by an ISP or a separate entity. While handling scripts in this type of environment is fairly easy, there are also a number of security issues that may arise. Making yourself familiar with these challenges will help you to implement better security for your site and actually understand how a shared web server functions.

Basis of a Shared Server

Shared servers offer some of the most affordable hosting available. This is primarily due to the fact that several clients are hosting sites on a single server, thus sharing the cost of it as well. Usually, each website owner on the machine has a user account which gives them access to the server. They have the ability to log in and upload text files, images and other content required to build their website. While server space and resources are being shared, this type of hosting normally provides a reliable service with quality features.

The Problem with Apache

The average shared server has at least one Apache web server running on it. It also contains the PHP programming language or executable CGI scripts. That copy of Apache maintains all incoming HTTP requests for each site functioning on the server. In order to serve your website to the world, Apache must be able to interpret your HTML and CSS files, PHP scripts, images and so forth. Web-based applications such as blogging software and content management systems also require write access to the directories of your website.

Read and write access is typically granted by configuring group permissions on a specific file or directory. Each user account and the Apache server are essentially members of the same group. An FTP daemon is often set up by default to ensure the group’s ability to read access to all files uploaded to the server, enabling Apache to the serve the websites.

The copy of Apache runs as a single user regardless of what site is being served. As a single user, it has the ability to read access to each site on the shared server. More than likely, it will also have write access to most, if not all of these sites as well. Because of this vulnerable structure, an intruder only has to break into a single site on the server, which will in turn give it access to every other site hosted on the machine.

Here is the most intriguing part of all. The intruder doesn’t necessarily have to break into the server. All they have to do is sign up as a web hosting client, purchase a legitimate account and upload scripts that give them access to other sites on the server. One with enough smarts can easily steal any data they want while going undetected. How is this possible? The answer is simple - the uploaded content is executed by Apache which has access to all files for every site host on the server. This includes all PHP scripts that contain usernames and passwords for sensitive MySQL databases.

Final Thoughts

The purpose of this article is not to deter you away from shared hosting, only to inform. There are a number of companies providing shared hosting who have gone great lengths to provide reliable service. Nevertheless, the vulnerabilities are real and continue to exist. For this reason, it is imperative that you inquire within a particular host about what measures they have taken towards the preventing exploitation of PHP and Apache.

Share this article: