.

Web Hosting Services and Web Site / Web Application Vulnerability

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Sun Apr 26, 2009 8:40 pm

Web Hosting Services and Web Site / Web Application Vulnerability

I would like to have some inputs from you all on the following scenario.

A web site / application is hosted with a web hosting service provider (HSP). However, there is vulnerability in the web site that gets exploited and the sites functionality is affected. Whenever a end user is visiting the website, some malicious code is called from a remote malicious website. Note that the malicious code is not stored on the hosting service provider’s server.

Under such a scenario, does the HSP provide any kind of support to analyze the website / code and rectify the issue? I know most of the answer is going to be – “It depends on the agreement with the HSP”. However, there is no specific agreement other than the standard hosting agreement exists between the HSP and the client. I have come across people saying that the client is paying to the HSP, so they are supposed to help remove the vulnerability. I believe, the scenario is clear.
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

jimbob

Post Mon Apr 27, 2009 4:23 am

Re: Web Hosting Services and Web Site / Web Application Vulnerability

Hi,
Hosting providers generally do not provide any such assistance to their customers. Providing hosting is after all very different to providing application support. I'm my experience the response is to do nothing at all, to notifty the customer or to suspend the hosting account.

Jimbob
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Mon Apr 27, 2009 10:52 am

Re: Web Hosting Services and Web Site / Web Application Vulnerability

I agree jimbob.

Assuming the client wrote the website, then the vulnerability is theirs and they would (should) fix it.
twitter.com/timmedin | http://blog.securitywhole.com
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Apr 27, 2009 11:32 am

Re: Web Hosting Services and Web Site / Web Application Vulnerability

Yup, I'm going to agree with Jimbob as well. The hosting provider is not going to spend the time/effort to analyze the code of one of their customers to find out where/why a vulnerability exists. This costs them time (money) and they may not have the expertise to do a proper code review.

Also as Jimbob mentioned, the likely action for the hosting provider is to choose one of those 3 options. Most often, they suspend the account (as that also "fixes" the vulnerability), especially if the vulnerability in question is found to effect other hosting customers.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Mon May 11, 2009 6:27 pm

Re: Web Hosting Services and Web Site / Web Application Vulnerability

I'm with everyone else on this with one major caveat.

As a client, you are most likely on a shared server.  If the hosting provider doesn't have a secure setup (and many don't), a vulnerability in one user's site that provides a shell escape can impact every user on the box.

I've seen cases where a client's site was defaced.  I looked at the server via SSH and was able to determine (pretty quickly) that other sites on the same server had been compromised as well.  Without root access (which the hosting provider obviously didn't give me) I can't say for sure which site was the compromise vector but everyone was impacted.

Sure hosting providers could provide each client their own "server" with virtualization, but this brings new challenges (particularly with resource  monitoring).  I would also say that any company that can't configure shared hosting boxes more securely certainly isn't up to the task with virtualization.

Basically, if one client is screwing up other clients, it is the hoster's responsibility to either help the offending client or get them off the box.  They've likely expended all the work to find the offending client (and what security problem they're having), seems like a perfect opportunity to fix it for a nominal fee (especially if the alternative is expulsion).
Last edited by former33t on Mon May 11, 2009 6:30 pm, edited 1 time in total.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

W3bWarl0cK

Newbie
Newbie

Posts: 9

Joined: Wed Apr 08, 2009 1:31 am

Post Mon Jun 08, 2009 1:34 pm

Re: Web Hosting Services and Web Site / Web Application Vulnerability

timmedin wrote:I agree jimbob.

Assuming the client wrote the website, then the vulnerability is theirs and they would (should) fix it.


Generally, this is how it would work. The HSP is responsible for nothing more than the hosting, anything that's done with the applications that are run on the server is the responsibility of the client.

I would imagine that if the exploit causes server-wide damage, the HSP would take more interest as it would affect more that just the one client.

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software