Hi NG,
Anybody of users having a web site on ehosting.ca (mecca.ca) server can read
anybody else's source code, asp files, connectionstrings and all. I could. I
tried to warn the administration of this flaw but they not only don't
understand their problem but belligerently defend their incompetence. No
wonder they don't warn their customers about it. Because, first, they didn't
even realize it and, when I told them about it, they blamed me for having
tried to hack. They think security means only preventing script execution
rights on user account folders and have been giving "Read" access to
"Everyone" in order that their system could get directory listings!! Later
on they said that they have made a typo, and that they're giving read rights
not to "Everyone" but to "IIS-User" system user-account. It doesn't change
the fact that the users can read each others' files. After my warnings, they
might have improved the security level on the host, but from their record,
you can't be very secure. So be warned.
After all I felt forced to cancel my membership (on Nov 06, 2004 see below).
When I created the FSO page back in 2000 the idea looked pretty new to me;
you write down the virtual path to a dummy folder on my site and can read
the directory listings. Then you double-click on a subfolder and get its
listings. Double-click on a filename and (if ASCII) it opens in another
page, where you can edit and save (in theory). And I put it on my free site
at brinkster.com as a demo (www11.brinkster.cm/Nersessian/, registration is
needed to see some files and their sources; only English part is more or
less functional. I'm trying to set up a new site). Now this type of
application is being used on many servers. Brinkster.com gives the warning
that the free sites are insecure, so does 1asphost.com where the FSO doesn't
exist at all on free sites. All is done to encourage paid membership. Here,
on ehosting.ca, with paid membership, users have same or less security as on
brinkster.com for free hosting. So when I uploaded this file, I was 100%
sure it would not allow me to go above my own folder, but it did,
successfully.
Below I include my response to one of the administrator's message to me
(after I also got a "Hello there" message from the biling@mecca.ca informing
me that full refund in that company means less than 40% of the membership
fee!!):
//***********************************************************
What you're doing endangers your clients' and their users' private
information. I suggest you to read Microsoft's public web server security
guidelines again. Your interpretation of those guidelines is very peculiar,
to say the least.
1. Absolutely non-important that other users cannot execute scripts in my
account. If "Everyone" can read in my account, the real hackers will be
"executing" my users' identities and their credit card numbers on their bank
accounts, not scripts on my account. I hope you can figure out how they get
that information, once they can read in your clients' files
2. Even if the system has to read in account folders, there is a user called
SYSTEM. You could give it read rights. Not to Everyone.
3. I don't think that you even have a 'Clients' (or whatever) user group for
clients, or know how and for what to apply it, if you give Everyone read
rights.
4. You are not warning your clients about the security hazards their and
their users subject themselves accepting your hosting services.
Although this email will efficiently help you improve security on your
hosting server, I don't expect to receive apologies or gratitude from you.
But I will think it over, if I will warn your clients about your
incompetence regarding their accounts' security and if to take further
action.
Regards, AN
Mecca Administration <admin@mecca.ca> wrote:
Hello,
Well "Everyone" write access is disabled on c:\clients folder and you
cannot use a web based script to write data to other clients' folders.
We must enable "Everyone" read access so that other server components
can read the directories and files listng. Keep in mind that we had
followed Microsoft's public web server security guideline closely when we
implemented the security structure few years ago.
If you want to have a very secured server environement, please consider
our dedicated server hosting.
Also keep in mind that according to TOS, no subscribers are not allowed
to hack into our systems:
3.1 The Subscriber will not hack, break into, access or use or attempt
to hack, break into, access or use any part of the Services, its
content and/or any data areas on Mecca's server(s) for which the
Subscriber
has not been authorized by Mecca.
However, should you decide to call off our hosting service, please
confirm your decision before November 08, 2004 (Note that you can only
request the refund within 14 days of purchase). Cancellation request
submitted after this day will not be counted within our 14 day money back
guarantee period and thus, no full refund MINUS $15 administration fee
(plus any applicable cheque handling charge) will be issued.
Best regards,
Systems Operations
/***************************************************************************
*****