On Thursday, a provider on LowEndTalk noticed that another provider’s web server was misconfigured. Specifically, the PHP handler was borked, which means that instead of processing the PHP and executing it as a script (the normal behavior), it simply dumped the text of the PHP script to the web browser.
Ouch.
Specifically because WHMCS’s stores its configuration info in a file called configuration.php, what became visible were things like database credentials, WHMCS config, etc.
The provider who screwed up was @Calin of iHostART. The provider noticing this was @FlorinMarian, who runs hazi.ro.
@FlorinMarian then posted on LowEndTalk:
I frequently check the website of my competitors to see what changes they come up with.
It seems that the ART did not have a PHP interpreter and the PHP files were downloaded raw.
I know that I will get haters for this post, but it was not good for me either to see my infrastructure down and my friend to like each of my haters every time.
…and included screenshots of the configuration.php exposing all the details. There was some minimal blacking out of parts of passwords and hashes, but a lot of details were shared in public.
The biggest risk here is not that someone would access this database over the Internet. Typically, direct DB access is closed off. But if someone already has a VPS with iHostART and is trying to access from “inside” iHostART’s network, the risk is very real. (Best practice would be to only allow access to the DB from the WHMCS app server, or colocate the DB on the app server and only allow local non-network connections).
Regardless of theoretical exploits, it’s a disastrous leak.
The Background
@FlorinMarian and @Calin are rivals in a commercial sense, and they’ve sparred a bit on LowEndTalk. They’re both offering service in the red-hot Romanian hosting market.
@FlorinMarian has had some DDoS attacks and I think at one point he was blaming @Calin though I don’t remember seeing any evidence posted (someone correct me in the comments on this if I’m wrong).
Now, imagine you’re @FlorinMarian. You’re checking up on your competitor’s web site, which in itself is perfectly normal. All providers do this. You stumble upon a misconfiguration that exposes the provider’s infrastructure. What do you do?
You could, of course, ignore the problem. After all, it’s not your job to monitor and alert a competitor that they’ve forgotten to lock their back door.
But the right thing to do – and certainly the classier thing to do – would be to privately notify the provider. This allows them to rectify the issue. Then you could post a comment on LowEndTalk saying “by the way, this happened” because pointing out that a provider is incredibly sloppy with their security is fair game.
The Wrong Thing to Do
Just posting the creds is wrong.
First, you’re putting all iHostART’s clients at risk. These are innocent members of the public. This is like running a bank and noticing that another bank has forgotten to lock its vault – do you really want that bank’s customers to lose their money?
Second, it runs counter to widely-accepted IT culture where you notify privately and allow time for remediation before you advertise. That’s how exploits are handled.
Finally, it just looks very petty. You want to compete based on service, price, etc. not low blows like this.
The Community’s Reaction Was Swift
The very first comment on the thread looked like this:
Some other typical comments:
@Calin replied:
To be clear, @FlorinMarian did not first notify @Calin:
At the 25th minute I did the post and at the 32nd minute I wrote to him privately.
The thread blew up to over 540 comments last I looked.
The Inevitable…
Sometimes people on LET say that the staff will allow any scam or bad behavior as long as people pay for their Provider Tag. This episode shows how false this is:
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- RackNerd Now Accepting Payments via USDT TRC-20, USDC-TRC20, TRX, BTC, LTC, ETH, and More Across Ethereum (ERC-20), Polygon, Solana, Tron (TRC-20) Networks - April 27, 2024
- Level Up Your Marketing and Social Media with These FREE Courses on Udemy! - April 26, 2024
- FLASH SALE: Cheap cPanel Shared Hosting from eWallHost for $7.97/YEAR! - April 24, 2024
Leave a Reply