On a shared hosting setup MyFTP leaves your entire directory structure available for any of your users to browse.
On most shared web hosts assign you a single Linux/Unix user name for your entire domain. So if for instance, you have a domain such as abc.com and allow others to host WordPress blogs at 123.abc.com and 456.abc.com, etc, all of the blogs are running under the same Unix user name.
As such, MyFTP can allow your other users to browse the entire contents of your Unix home directory (anything under /home/abc.com) including configuration files, scripts, or whatever other sensitive information you might have lying around with full permissions. This means that they can not only read files, but edit and delete them as well.
This may be unique to the particular web host I use (Bluehost), but I can imagine similar configurations are used at a lot of other hosting companies.
I have confirmed the issue with my host, and they state that there is no configuration change that can be made on the server, via .htaccess files, via php.ini, in WordPress, or otherwise that would mitigate the ability for MyFTP to walk through all of your directories.
This problem is actually not unique to MyFTP – any user-uploaded php script can be tweaked to allow the same level of access if one possessed the proper programming skills.
- The topic ‘[Plugin: My FTP] MyFTP- Can be very dangerous on shared hosting accounts’ is closed to new replies.