Security Risks of using Shared Hosting

There are a wide range of articles on the internet that detail specific security issues associated with shared hosting. This article is not intended as a technical guide to those security issues but as a basic warning to new webmasters and website customers. At the end of the article is a list of links to articles that deal with more specific issues.

Shared Hosting Defined

A shared host is a server that runs multiple domains on a single server. This is convenient in many ways as it reduces the cost of hosting because a host can use a single server to handle multiple client domains. This is opposed to dedicated servers which are servers that run a single domain. For example, a shared host might be the home to MyProductOne.com, MyProductSiteTwo.org and YourFriendsSiteTen.info. A dedicated server would host at most one of those domains.

Shared Fears of Shared Hosting

The problems with using a shared host are that they open security holes that are realistically impossible to completely abolish, especially if each domain has the ability to run scripts (program files written in languages such as PHP, PERL, ASP, etc) or has shell access. If the domains have shell access or can load scripts, then they each have the potential to hack into the files owned by other domains on that same host. In other words, you should not use shared hosting for highly sensitive data.

When it comes to using prepackaged software solutions (such as Webonizer and other widely available programs) you must often allow your server to have read, write and execute access to your files from the web server level—leaving your files vulnerable to other people on the same server.

While it is possible for software developers to create some safeguards, there is no failsafe protection for your files and data on a shared host. Using file permissions, Webonizer itself attempts to make its files available only for the owner of the current domain; but because it needs to have write access, it is possible for other users on the same server to write files to your domain if your server gives PHP shell access! Functions such as exec() allow great flexibility and power to software developers, but open the door for great abuse on shared hosts. (Webonizer uses exec() in a few circumstances to do hostname lookups—but Webonizer does not break without that function.)

Here is a short list of commands that can cause adverse security problems on a shared host.

• exec()
• system()
• shell_exec()

There are more functions to be wary of. See some others at PHP Program Execution Functions .

If your server allows the use of functions such as exec() you should be very careful about installing any prepackaged software (including Webonizer) onto a shared host or making any of your files writeable by Group. If you are considering installing a prepackaged solution onto your domain you should contact your host and find out whether your server is using shared hosting and whether other users have access to functions that can write to your directory since many Webonizer folders and files are group writable.

If your server is a shared host that allows the use of exec()-like functions, you should consider moving your domain to another host or to a dedicated server--especially if you are concerned about maintaining privacy for your files and data.

Conclusion

The most secure environment for your website is a dedicated server (or a shared host that you own and whose domains are all under your control). If that is not feasible, you should make sure that other users on your server do not have access to commands that will let them write to your domain's directory via functions that have access to files and folders with Group Read/Write permission. If this is not possible, then be very wary of installing web applications onto your domain (in this case, we are in the process of writing tips on securing your version of Webonizer on a shared host--a link will be supplied soon).

Furthermore, you (or your server administrator) should keep your server utilities up-to-date. Keeping Apache, PHP and MySQL (as well as Webonizer and other applications) up-to-date will likely ensure that your site is as safe as reasonably possible--which is especially true on shared hosts.

Further Reading on Hosting Security

Shared Hosting & Security

• http://phpsec.org/projects/guide/5.html
• http://shiflett.org/articles/shared-hosting
• http://www.sitepoint.com/print/php-security-blunders
• http://seclists.org/fulldisclosure/2005/Sep/0001.html

Shared Hosting

• http://en.wikipedia.org/wiki/Shared_web_hosting_service

Other Security Topics

• http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
• http://en.wikipedia.org/wiki/Secure_Sockets_Layer

If you feel that there is a helpful article that would be valuable to this page, please contact us with a link and we may add it to our reference list here.

• Home
• Topics
  • FAQ
    • Administrator FAQ
    • Development FAQ
    • General FAQ
    • User FAQ
    • Website Information
  • Internet
    • Using the Internet
  • News
    • News
    • Site News
  • Plugins
    • Online Games
    • Shopping Cart Plugins
    • Vacation Home Plugins
  • Services
    • Hosting
• Documentation
  • Configuration Settings
  • Newsletter System
• Features
  • Administration
  • Database Topics
  • Document Publishing
  • Downloads
  • Event Publishing
  • Media Handling
  • Navigation System
  • Security
  • Serialization
  • User Accounts
  • Visual Customization
  • XML Tools