1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this true about forum security on shared hosting ?

Discussion in 'Server Configuration and Hosting' started by Digital Doctor, Feb 29, 2012.

  1. Digital Doctor

    Digital Doctor Well-Known Member

    vBulletin acknowledged that it's platform never could be really secure on shared hosting servers because each user is essentially running as root (from Apache's viewpoint).

    Do you agree with this statement ?
    for vBulletin ?
    is it true for Xenforo ?
     
  2. MGSteve

    MGSteve Well-Known Member

    erm, I can't see how apache's process has anything to do with vBulletin, to be honest. PHP runs as whatever Apache's user is setup as. I forget what the default is, but it most definitely is not root!

    Either-way it applies to all PHP scripts & sites on the server, not just vB or XF...

    I'd be interested to see the source for your statement.
     
  3. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    It's a problem with shared servers, not with any particular forum application. The problem is that your forum can be compromised if another account on the shared server is compromised. The other account can potentially read your config file and connect to your database. In the hands of a malicious person your config information can be used to deface your forum. All of this is by way of another account on the same shared server as you. This affects both vB and XF.

    This happened to my forum once.
     
  4. feldon30

    feldon30 Well-Known Member

    I don't think that's an accurate description of how shared hosting works.
     
  5. Mike

    Mike XenForo Developer Staff Member

    This is one of the reasons most shared hosts run a suexec-style thing now, though that creates different issues IMO.
     
    D.O.A. and MichaelDance like this.
  6. Sadik B

    Sadik B Well-Known Member

    Depends on how qualified the shared host is technically. We have a dedicated server we "share" between N no. of users. We have Apache running on worker mpm and php running as fcgid processes separately under each user. So every user's apache and php processeses run separately under their own unix user accounts. So if one account was to be comprised, it would have no impact on anyone else.

    Given current hardware prices for server equipment, it makes absolutely no sense for a shared host to run php as a compiled apache module, mod_php. It is inefficient and poses security risk in a shared environment, as Jake explained.

    And Yes, I would also like to see the source of your claim. I see no reason why a software company would say such a thing.
     
  7. Digital Doctor

    Digital Doctor Well-Known Member

    They modified their vB3 to prevent this problem.
     
  8. Brandon Sheley

    Brandon Sheley Well-Known Member

    It wouldn't matter if they built their own forum, it would still run the same risk as any other web script on a shared account.
     
    D.O.A. and Darkimmortal like this.
  9. Sadik B

    Sadik B Well-Known Member

    Really, how? I am very curious to know how vB3 can be modified to prevent php running under a shared unix account.
     
    Darkimmortal likes this.
  10. MGSteve

    MGSteve Well-Known Member

    Me too. Someone's got their wires crossed here I think...
     
    Darkimmortal likes this.
  11. Digital Doctor

    Digital Doctor Well-Known Member

    He's a linux God.
    He says his method makes upgrading vB3 "very hard".
    I'll ask him what are his workarounds.
    He's looking to migrate away from vB3 and won't touch vB4.
    I wanted to know if Xenforo was any different than vB in respect to his wishes.
     
  12. Deebs

    Deebs Well-Known Member

    If he believes an application like vBulletin can alter the way shared hosting works then he is not a linux god. Once the OS is setup to run PHP as the same user for all hosts on the server then nothing can change that unless he is exploiting the kernel.
     
    Darkimmortal likes this.
  13. Digital Doctor

    Digital Doctor Well-Known Member

    I wanted to know this ....
    so I could encourage him to use Xenforo.
     
  14. Deebs

    Deebs Well-Known Member

    Same issue. Read my post above.
     
  15. Adam Howard

    Adam Howard Well-Known Member

    I'm going to get a lot of heat for this comment and perhaps others will want me to explain further in detail (which I would rather not).......

    YES.

    Any shared environment adds to the risk to every site on the server. This includes shared web host, but also VPS host as well. Does not matter how good you've configured the setup... The risk is there. You can limit the risk, but never to a complete zero (never as good as a dedicated).

    Their statement is generally correct, except Apache isn't the root of all evil. They are forgetting MySQL, PHP, WHMCS, Xen, OpenVZ, Cpanel with WHM, and there are other routes one could use to compromise a shared environment.

    A complete dedicated environment has the least risk, when properly secured.
     
  16. MichaelDance

    MichaelDance Well-Known Member

    True mate however what I do say dedicated servers aren't fully the most reliable to security unless it's a Xen dedicated with Litespeed or Varnish and CSF. But even the secure servers can be hacked.

    Oh and forgot this I recommend you have cloudlinux and cloudflare protection.
     
    TheVisitors likes this.
  17. Digital Doctor

    Digital Doctor Well-Known Member

    Title change request.
    Is this true about Xenforo security on shared hosting ?

    Is this true about forum security on shared hosting ?
     

Share This Page