Massive Security Flaw Found In Most Hosting Providers
2019 March 7th at 11:52
A crucial vulnerability, affecting the majority of web hosting users and website visitors has been found in many popular hosting providers.
According to our security expert findings, if a server houses multiple shared hosting accounts, any one of those accounts can access real-time activity logs for each account on the server. This essentially means that your website’s activity data can be viewed by anyone on the server
The most surprising part is that the issue was discovered with web hosting giants like Bluehost, Siteground, Godaddy and so many more.
Oh yeah, and this issue is at least 6 years old...
How Does It Work?
This vulnerability gives users access to an Apache status page - a page used by the hosting companies’ monitoring teams to see the basic logs of a specific server. It’s a pretty simple function, which can only be accessed by server admins.
Or is it?
By default, the Apache status page has an IP restriction, meaning that it can only be accessed if the request was made from the same server.
Naturally, the restriction prevents anyone from the outside to gain entry to the server.
However, cPanel security engineers didn’t realize that someone untrustworthy might request this URL from within the server.
Even without root access, anyone is able to extract the server’s real-time activity by using a simple PHP script which requests WHM status page using 127.0.0.1 (localhost) IP address.
Here is an example PHP file in question:
$url = 'http://127.0.0.1/whm-server-status';
$ch = curl_init();
$data = curl_exec($ch);
*You can also use “$url - ‘http://[::1]/whm-server-status’:” if it’s IPv6-based.
So, essentially, if a person wants to view and collect your website data indefinitely, all he needs to do is:
- Buy a hosting account;
- Run this PHP file from the account’s directory;
- Create a cronjob and continuously gather data from that particular server forever.
This gives the user access to the status page, which includes:
- Personal IPs of all the website’s visitors. All visitors of the server could be identified and tracked.
- Exact requests sent by the users. Hidden links of all pages could be easily found and collected.
- The IP addresses of the pages. This allows everyone to see the real addresses and start DDoS attacks, rendering services like Cloudflare useless.
- The ability to identify weak pages and take advantage of them. Since you have access to the server’s real-time activity logs, you can see how long it takes to load a particular page. This way you are able to determine which pages are particularly weak and later spam it with an overwhelming amount of requests (DDoS), which will ultimately crash the whole website or even the whole server.
The Apache server status page is meant to be for monitoring teams' eyes only. But you can do this on pretty much any hosting account.
This Issue Is Nothing New
As a matter of fact, this very specific problem has already been making rounds previously. Back in 2012, Daniel Cid from Sucuri has discovered that many websites have public status pages which can be accessed by literally anyone.
It was possible by simply entering an URL, and adding /server-status at the end. This way, websites such as Metacafe, NBA, Ford, PHP.net (ironically), and many more made this information public for everyone visiting.
Since then, however, it's been fixed, and we were yet to find websites exposed to this error. What we've discovered, is that there's another way to access the same status page - and get loads of information on thousands of websites.
Who Is to Blame & How Do I Fix It?
Imagine the situation when you purchase a router and it has both username and password set to “admin”. Who’s at fault if it got hacked? Well, the router manufacturer could use stronger credentials, but at the same time - the users should pay more attention to their security and instantly change them.
At the same time, while cPanel failed to provide a secure default feature, it can’t be solely blamed for this vulnerability.
The status page itself was designed and implemented by cPanel, however, it also gave tools to hosting providers’ Sys Admins to configure this tool’s security aspect. It was evidently overlooked by most.
So how do you avoid this vulnerability? Well, there are a few things your server admin could do:
- Change ‘server-status’ location to a new one. No one will be able to request the status page if no one knows where it’s located.
- Change the default port (80). It acts similarly as changing the default URL, yet it could give some additional security.
- Create an HTTP authentication on that particular URL which will ultimately secure the Apache status page behind a password of your own choosing.
- Add a condition to the server’s firewall, so that only root (or a particular admin group) could access the status page.
But here's the kicker: once every month or so, a new cPanel update will roll out, changing the default URL and causing this issue to happen all over again. There are a few things you can do to fix this indefinitely but they are a bit tricky.
This Can Seriously Affect The Users
So, long story short - if you're a shared hosting user, your data may be accessible by everyone on the same server with you.
And considering a single server could host up to a few thousand clients, it's a serious risk. One malicious user is all it takes to get your data and behavior harvested. And once they're done with one server, well, a simple request to customer support will get them moved to a different one, where they can continue collecting user data.
While leaked URLs and IPs may not seem as dangerous, this data can be used very creatively in order to do some serious damage to website owners and visitors.
Bad news for non-encrypted passwords
For instance, public access to all URLs is bad news for people using non-encrypted online platforms. Many of them still use outdated security systems and generate logins as custom URLs. This means that when you log into the website, you may actually enter the URL that is something like this:
And it doesn’t matter whether your website uses HTTP or HTTPS - the status page sees both as plain text.
Needless to say, since the status page shows all the URL activity on your website, people on the status page would see the username and password that you entered. The same tracking can be used to discover hidden URLs, too - so the secret pages will become not-so-secret anymore.
In addition to URLs, this vulnerability also reveals IP addresses interacting with the websites. And using that information, people could monitor the activity of any website hosted on the server and see who accesses them.
Knowing the list of websites and users on the hosting provider cracks the doors wide open for data farming.
Some hosting providers would pay good money for a list of their competitors’ clients. Such information tends to be secret - but with this vulnerability, it’s very much public. If you’re hosting with an unsafe provider, you could be targeted by several of its competitors.
But not all leaked personal information might be used for relatively harmless marketing. Some malicious people may even attempt to blackmail you using the very same data they gathered.
For example, using an IP address, any website could be DDoS’ed, and held ransom - the attacks won’t stop until you pay.
And if you think the services like Cloudflare will save you from that, well - no.
The WHM server status page shows the real IP address of the page. With direct access to your IP address, people may be capable of DDoS'ing your project and no software would help (unless you change your IP address completely).
Which Hosting Providers Are Affected By This?
Our security experts carried out the tests on 11 popular shared web hosting providers and here are the results:
|Provider||Panel Used||Status||Updated (date)|
|Hostinger||Custom Panel||Not Affected||03.05.2019|
As you can see, every single host which uses cPanel was affected by this vulnerability. From this table alone, it’s easy to assume that all cPanel-based hosts share this security problem.
If you’re reading this, chances are that this vulnerability is currently being taken care of. Before publishing the article, we’ve contacted all of the major hosting providers and informed them of this issue.
After receiving confirmations like these, we double checked if the issue persisted. Sadly, there are quite a few hosts which didn't bother fixing it. Our updates are recorded in the table above.
I Am a Shared Hosting User - What Should I Do?
At this point, there is not much you can do. The damage (if any) has already been done. However, you can try contacting your hosting provider or research this security issue in tech communities to find more information.
We will keep a close eye on the hosting providers mentioned here, and keep you updated whether they made the necessary security changes to their hosting platform.