Host My Site servers comprised and accounts locked
Many Hostmysite.com customers found themselves locked out of their FTP and left in the dark as HMS staff battle to identify and respond to successful hack attacks on some of their shared ColdFusion servers. According to a HMS representive:
"On the night of June 19th, we discovered a potential security flaw in our shared ColdFusion environment. This flaw would allow for 2 major problems:
- Privelege escalation to that of system administrator
- Circumventing the sandbox security that was already in place
Upon discovering the problem we took immediate (albeit drastic) action, which was to disable FTP services on several shared ColdFusion servers that were affected. Over the course of the following 72 hours, we made a number of security changes to our shared environments. These changes included, but are not limited to:
- Internal firewall policy changes
- Hotfixes were installed on ColdFusion 7 and 8 servers
- Several shared servers migrated to new hardware with clean operating systems
- Disabling of certain ColdFusion features (such as the ability to parse JSP)
- Complete audit of sandbox security
- - Sandboxes were added where missing, and existing sandboxes were audited to verify that cfexecute and cfregistry were in fact disabled
With these servers compromised HMS had to rebuild them on new hardware and clean operating systems and had limited the extent of the problem to affected applications and websites only. A painful experience for everyone involved and one that we hope HMS or any other big ColdFusion web host doesn't has to suffer in the near future.
Comments
Bradley Moore wrote on 07/21/09 12:43 AM
Shared CF hosting security is fun. The really disturbing part is that all application scopes on an instance of CF are visible to anyone on the same instance.Be sure not to store any sensitive information ( logins, passwords, datasources, etc. ) in the application scope.
Application variables can be modified from an attacker, but the reserved Application.cfc functions are reparsed on every request. If you create your own functions in the application scope, those can be overridden.
The best way I've found around this issue is to store sensitive values in the request scope using the onRequest function. However, this approach kills persistence.
I haven't looked into this issue since I moved to a VPS running Railo, but I never found a way to keep persistent data on a shared host and insure security.
/end ramble, hopefully that makes sense
Admin wrote on 07/21/09 2:16 AM
Bradley you've highlighted an important issue for shared hosting that alot of of CF developers are not aware of. I would like to eventually do a security comparision of the three CFML engines and this would be the first thing I would report on as it's such a serious flaw.Usually I do a couple of things to reduce the risk including:
- try to make your app name unique. eg. use your file path + datestamp. (helps against casual attack or accidents only)
- don't store DSN login details in the application scope and if you need to cache passwords then store a hash instead.
- do as you have suggested and store DSN and other sensitive vars in the request scope.
It's a pity that by version 8, ColdFusion had not fully addressed the security concerns of a shared hosting environment. And seperate instances for every website are just not feasible for a host who's customers think $49 per month for a CF account is expensive :P
Cheers, Mike G.
Admin wrote on 07/23/09 12:38 AM
We have added a new post to detail the unnamed application vulnerability here:http://www.coldfusionsecurity.org/post.cfm/application-vars-vulnerable-on-shared-hosting
James Beuthling wrote on 08/08/09 9:21 PM
Its not just host my site that get hacked. My godady account keeps get hacked to. Some idiot keeps leaving freekin iframes in my dam index page. And a few months ago another idiot some character by the name of (mohammad) replaced all my index.htm files with a garbage page. Dosent matter - if your site looks good thell mess with it. Ever played online games. Same thing the hacers are nubs- aaaarrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr .
seo company wrote on 11/07/09 10:38 PM
This is strange
this is nice information need to know more
SEO wrote on 11/16/09 6:13 PM
Seo is a process by which websites are optimized to work better in google and raise the visitor’s traffic by making website rank high in the search engines like google, yahoo, Ask and MSN etc.
Is there an option to set default font size in text boxes in Powerpoint in Office 2007 like in Office 2003?
Life insurance wrote on 11/17/09 8:13 PM
What is the best method of marketing Web Hosting Packages?
Forex Trading Robot wrote on 11/27/09 6:13 PM
I often read your blog and always find it very interesting. Thought it was about time i let you know…Keep up the great workregards
james
Mortgage rates wrote on 12/12/09 4:57 PM
"Mortgage ratesThanks for sharing the information. I am very amazed at the confidence level of you guys, so i have to refer your blog to my friends because it’s really a help full blog.Regards
Roger"
Commercial Satellite TV wrote on 12/18/09 2:53 PM
Hi nice to read this I realy like toThanks for such a nice post.
Vehicle Leasing UK wrote on 02/04/10 2:18 PM
which websites are optimized to work better in google and raise the visitor’s traffic by making website rank high in the search engines like google, yahoo, Ask and MSN etc.
essays wrote on 02/05/10 11:49 AM
This is a major setback that will compromise many of my on going projects. I hope everything will be resolved soon
custom essay wrote on 02/05/10 11:56 AM
Please resolve this at once because many of my clients are foaming at the mouth already because of the delay. I will give anything to maintain my exclusive clients because that is my programmer as technological coordinator.
Recent Comments