Here's a quick breakdown:
1. Autogenerating CORS headers based on a regexp that can be tricked into allowing <safe.org>.evil.org.
2. A form POST encoded text/plain that gets interpreted as JSON to bypass CSRF check.
3. Using CORS origin check gaps to do an HTTP downgrade.
4. XSS-ATO by email address changes (this is pretty vanilla).
5. Sending “token[]=” to break PHP CSRF token check through type confusion.
6. Breaking a different CORS generator by smuggling the whitelisted domain into a ?urlparam=safe.org.
7. Setting content-type=text/plain; application/json to fake out browser check for JSON and bypassing CSRF at OVH.
8. Some fiddly and not super interesting CSP bypasses.
It's usually a lot easier to write the PoC with fetch() though.
But hosting management also has a whole lot of potential for logical errors. I work at a B2B ISP that is also a managed service provider, and every now and then somebody calls for more self-service. I'm not against it, but it's full of landmines.
It starts with such simple things as account creation. We allow accounts with the appropriate roles to be used for several different customers, which means we cannot namespace them by tenant.
We used to give accounts usernames based on the first and last name, but that makes it very easy to leak which other accounts exists (when "John Doe" becomes "johndoe4" instead of just "johndoe", you can infer the existence of other accounts, and thus that other "John Doe"s are among our customer base). We had to change that, which isn't as easy as it sounds for a company that has been doing things a certain way for 25 years.
Potential logic errors and information leaks lurk in all places where you cannot namespace things because they are not fully under your control, which can be IP addresses (big customers bring their own address spaces, and IPv4 address space is too small for generous segmentation), Domains, email addresses, phone numbers and so on.
One customer has one or two whole /8 blocks of public IPs that they use even for internal systems in our data centers. Others are IPv6 on the inside and IPv4 public facing. Some are big layer 2 setups (which we internally route through IPv6).
All this assuming the hacker would use a gift card to get a paid account to start.
This was a while ago so I don't know if they found a solution. User home directories are private but you can easily guess common paths under them (eg wordpress).
Allowing executable code (CGI, PHP) in such an environment is just a recipe for trouble.
Anecdotally, I've used Dreamhost for years as a domain host and have had nothing but positive experiences.
Originally I switched to them for being very vocally against SOPA, and they've consistently been on the right side of various Internet legislative issues.
They do seem like good people, I have no plan to move my own stuff from Dreamhost and I can't fault their customer service, but I also cannot recommend for stuff beyond vanity domains, fun side projects and so on because they've had so many issues that suggest a lot of stuff is kind of half-arsed. My home Internet service provider is also good hearted, but they've also been very _competent_ which is important, and I just can't honestly say that about Dreamhost.
Three (of many) Examples:
I own a .co.uk domain, and the people who run .co.uk have different requirements for WHOIS and for how domain transfers work. So Dreamhost would present me a generic "Here's how to change WHOIS" page and then it'd mysteriously fail, but actually their backend just didn't work with that entire 2LD, and domain transfer stuff would not work or it'd seem to work but then payment was rejected and the transfer doesn't go through...
I made a DNS change through Dreamhost's control panel, and after a reasonable period of time (maybe an hour?) of Dreamhost's three authoritative DNS servers only one had updated. So I talk to their support. They say I need to wait for it to "propagate" which is bullshit, these are authoritative servers, "propagating" data to the authoritative servers is Dreamhost's problem and if they can't do it in an hour what are they using, carrier pigeons? Then the support person shows me dig results they see locally for those DNS servers which don't match results I see, showing that actually these servers are either split brain or anycast groups, I ask about that, and the tech assures me that no, the answers they see are correct and that answers I see, by literally querying the same IP addresses, must need to "propagate" for a few hours more. After enough prompting they relent and say they'll "check" with someone about the DNS servers. Literally under 60 seconds after going to "check" the results are fixed. Huh, what a "coincidence".
Most hilariously one time they charged me for a year in advance entirely by accident, someone fat fingered a script that takes money from customer accounts. Now, like I said their customer service is good, I got the money refunded together with my costs for the currency difference between when they took the bogus transaction and when it was refunded rounded up. But if I had a $5000 contract that'd have hurt a lot more than it did for a few vanity sites.
Seconded.
Dreamhost is fantastic at tone in their communications, especially broad public communications; they sound accessible, human, and open rather than corporate... and maybe they are, or maybe that's just part of their brand.
They are not, however, super reliable when it comes to availability, especially if your resource usage starts to approach something on the order of magnitude stated capacity, and in that case you will find out that there are the system rules they sold you on, and there's the unwritten rules which may or may not even be legible to you by the time you're done.
This is not unheard of when it comes to discount hosting, of course, and I don't expect them to be different. Just sayin' that neither should anyone else.
If you are affiliated with such a firm, and you respond anyway, please explain what you do differently.
We're working really hard on securing multi-tenant Kubernetes clusters and have some tricks up our sleeves from years in the cloud industry, but we have not yet completed any external audits - that said, as the CTO, I take security _extremely seriously_ and consider it my number 1 priority, if that helps! We use tech like containerd, gvisor, eBPF and lots more to secure users containers on our multi-tenant hosting tier.
Not affiliated, but worked with some high profile sites on there.
"Endurance, who runs Bluehost, iPage, and HostGator:"
The company is a fucking nightmare. ALL EIG brands should be avoided like the plague including Constant Contact, site5, bluehost, hostgator, fastdomains, justhost, hostmonster, ipage, NetFirms, UnifiedLayer, IpowerWeb, PowWeb, ResellerClub, HostNine, HostCentric, Domain.com, Dotster, Verio, AppMachine, Arvixe...etc...
They have horrible security. Hacked sites were the norm not the exception. The techs we had were decent, but when things started off-shoring the off-shore tech's were complete idiots who couldn't figure out how to add space to a VPS...That was in 2015, I'm sure now it's way worse. I left in 2014/2015 to do development full-time, my wife worked there till they shut down their Orem, UT operations.
We had friends who they actually got to move to AZ to work w/ hostgator during the transition, and then fired 3 months later after they didn't need them anymore and AFTER they'd already bought a house in AZ... real pieces of shit there...
The CEO even said 3 weeks before everyone got the notification they were being canned "Don't worry your jobs are all safe, nobody's getting laid off" ...lmao
In other words: yes, it would have mitigated Bluehost's problems. It would also have broken their sites (or otherwise they would not be needing to use CORS requests at all).
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Ac...
Also browsers automatic sending cookie enable many of these CSRF, consider JWT.
Amazing how PHP is still bitting developers.
Hello Joshua,
Thank you for reaching out to Bluehost via our press@ email address; as a brief introduction, I am writing you from Endurance International Group, parent company to Bluehost and several other web hosting services. In regards to your questions for how to best protect your website, one of the best things you can do to invest in your business is to acquire web security, something like Sitelock, to protect you from malware. Below you will find the following: i.) article from Sucuri.net explaining more about website security, and ii.) information to speak to Bluehost representatives more in depth about our partnership with Sitelock and help you set up that addon service, if this is what you wish.
i.) https://sucuri.net/guides/website-security/ ii.) 888-401-4678 | https://helpchat.bluehost.com/
Kind regards,
Jacob Endurance International Group
I disagree. It's very easy to make such mistakes, often even to miss them in code review. You also cannot simply cover all potential errors in integration tests, because there are infinitely many potential errors you can make.
You need continuous or regular red-teaming or comparable security controls to reliably avoid such things, and you typically only have those at the really big and high-tech companies, or in highly attacked or regulated environments.
This tier of the market is also where the less-technical customers tend to congregate, so even if you have great security, most of your customers aren't going to be in a position to be able to appreciate that. You could argue that security is a potential marketing plus, but then you could get the same "pop" by just claiming you have great security without actually providing it. It's not like your customers are going to be able to tell the difference.
I have several friends who are on Red Teams working for pretty visible info sec companies. The one thing they always harp on is going back to test a companies network or physical infrastructure and finding most, if not all of the necessary fixes have not been corrected from their last visit.
You're right, big companies do have regular testing, but you'd be surprised how slowly those holes and issues actually get fixed.
Always assume that service providers are:
- Blithering idiots until proven otherwise.
- Not performing a task that isn't explicitly committed to in the service description or contract. If something is left unsaid, that it isn't happening.
- Not performing a task that they aren't solely accountable for. If you "share" a responsibility, it is your responsibility.
