3

I use a commercial web host, when I log in via regular FTP this is how the directories looks like:

dir structure

It seems strange that I can access system files, I thought I would be limited to access files below my user folder or web root folder (which is within "customers"). Does my webhost have a security issue or is it normal?

Anders
  • 64,406
  • 24
  • 178
  • 215
oivind
  • 31
  • 1

3 Answers3

1

Calling this a security issue is probably too loud. Hiding the system files is only obfuscation, and we all know that obfuscation is not one of the best security practices.

But on the other hand, the least priviledge rule is. That means a user or a account should only have allowed accesses for what is required for its job or contract. Here clearly, you would have no reasons to be able to browse the root folder.

I still would not call it a security issue, unless you are able you look at the data of other customers (because that means that than can also access yours), but is probably a hint that the administrator is not really attentive to the best security rules. As such this is a hint that other more serious security issues could exist on this webhost.

But anyway, it is only a hint, not an evidence.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

Is it a security issue? If you can disclose information of other clients or system files then it might be considered as a potential loss of confidentiality. It's a good practice to jail a user inside their folder and not allow him to browse out.

One of the arguments is that it becomes less easy to discover information on the machine on which your system is running, thus making it harder for someone that wants to find a potential exploit.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
0

I'd suggest that this is a security issue for a number of reasons. I'm assuming here that your account is a shared webhosting account (i.e. you don't pay for the whole virtual machine)

  1. You don't specify whether after logging in over FTP you can download/upload to directories outside your webroot. If you can that's bad as an attacker with that access might be able to use that to retrieve others data or modify the configuration of the system. FWIW, I wouldn't suggest you try that out as it could be uncharitably described as unauthorised system access.
  2. Even assuming that you can't currently get unauthorised access to other data on the host, providing you visibility of it increases the risk that a later configuration mistake could have serious consequences. For example someone runs chmod 777 * in a directory to fix a problem and then forgets to change the permissions back at a later date. By exposing the system files unecessarily, the hoster is decreasing the overall security provided.

Ideally what they should be doing is using some form of chroot jail to retrict you to only seeing files that are part of your website.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217