[Plugin: My FTP] MyFTP- Can be very dangerous on shared hosting accounts

  • drnate

    (@drnate)


    14 years, 9 months ago

    On a shared hosting setup MyFTP leaves your entire directory structure available for any of your users to browse.

    On most shared web hosts assign you a single Linux/Unix user name for your entire domain. So if for instance, you have a domain such as abc.com and allow others to host WordPress blogs at 123.abc.com and 456.abc.com, etc, all of the blogs are running under the same Unix user name.

    As such, MyFTP can allow your other users to browse the entire contents of your Unix home directory (anything under /home/abc.com) including configuration files, scripts, or whatever other sensitive information you might have lying around with full permissions. This means that they can not only read files, but edit and delete them as well.

    This may be unique to the particular web host I use (Bluehost), but I can imagine similar configurations are used at a lot of other hosting companies.

    I have confirmed the issue with my host, and they state that there is no configuration change that can be made on the server, via .htaccess files, via php.ini, in WordPress, or otherwise that would mitigate the ability for MyFTP to walk through all of your directories.

    This problem is actually not unique to MyFTP – any user-uploaded php script can be tweaked to allow the same level of access if one possessed the proper programming skills.

    http://wordpress.org/extend/plugins/myftp/

Viewing 1 replies (of 1 total)
  • Eric P

    (@eric-p)

    14 years, 6 months ago

    “It’s worse than that, he’s dead Jim, DEAD.”
    “Danger, danger, danger Will Robinson!!”
    WordPress Red Alert!
    PHP Shared Server Red Alert!
    “The sky is falling!”

    This situation is not unique to your host. It is a *nix security issue that is ongoing.

    The real danger with MyFTP is that you don’t have to be a PHP hack to hack other sites on your server.

    Also, and I won’t go into details here, but you can bring a whole server down with this plugin without being a stellar hacker. I love the concept, but the author should build in some php safeguards to MyFTP, which would be easy enough to do.

    That being said, there are things that your host can do:

    Also, probably the best quick fix is to set the permissions to 711 on the parent directory of all the WordPress installs.

Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: My FTP] MyFTP- Can be very dangerous on shared hosting accounts’ is closed to new replies.