• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Is this true about forum security on shared hosting ?

Digital Doctor

Well-known member
#1
vBulletin acknowledged that it's platform never could be really secure on shared hosting servers because each user is essentially running as root (from Apache's viewpoint).

Do you agree with this statement ?
for vBulletin ?
is it true for Xenforo ?
 

MGSteve

Well-known member
#2
erm, I can't see how apache's process has anything to do with vBulletin, to be honest. PHP runs as whatever Apache's user is setup as. I forget what the default is, but it most definitely is not root!

Either-way it applies to all PHP scripts & sites on the server, not just vB or XF...

I'd be interested to see the source for your statement.
 

Jake Bunce

XenForo moderator
Staff member
#3
It's a problem with shared servers, not with any particular forum application. The problem is that your forum can be compromised if another account on the shared server is compromised. The other account can potentially read your config file and connect to your database. In the hands of a malicious person your config information can be used to deface your forum. All of this is by way of another account on the same shared server as you. This affects both vB and XF.

This happened to my forum once.
 

feldon30

Well-known member
#4
vBulletin acknowledged that it's platform never could be really secure on shared hosting servers because each user is essentially running as root (from Apache's viewpoint).

Do you agree with this statement ?
I don't think that's an accurate description of how shared hosting works.
 

Sadik B

Well-known member
#6
Depends on how qualified the shared host is technically. We have a dedicated server we "share" between N no. of users. We have Apache running on worker mpm and php running as fcgid processes separately under each user. So every user's apache and php processeses run separately under their own unix user accounts. So if one account was to be comprised, it would have no impact on anyone else.

Given current hardware prices for server equipment, it makes absolutely no sense for a shared host to run php as a compiled apache module, mod_php. It is inefficient and poses security risk in a shared environment, as Jake explained.

And Yes, I would also like to see the source of your claim. I see no reason why a software company would say such a thing.
 

Digital Doctor

Well-known member
#11
He's a linux God.
He says his method makes upgrading vB3 "very hard".
I'll ask him what are his workarounds.
He's looking to migrate away from vB3 and won't touch vB4.
I wanted to know if Xenforo was any different than vB in respect to his wishes.
 

Deebs

Well-known member
#12
He's a linux God.
He says his method makes upgrading vB3 "very hard".
I'll ask him what are his workarounds.
He's looking to migrate away from vB3 and won't touch vB4.
I wanted to know if Xenforo was any different than vB in respect to his wishes.
If he believes an application like vBulletin can alter the way shared hosting works then he is not a linux god. Once the OS is setup to run PHP as the same user for all hosts on the server then nothing can change that unless he is exploiting the kernel.
 

Adam Howard

Well-known member
#15
vBulletin acknowledged that it's platform never could be really secure on shared hosting servers because each user is essentially running as root (from Apache's viewpoint).

Do you agree with this statement ?
for vBulletin ?
is it true for Xenforo ?
I'm going to get a lot of heat for this comment and perhaps others will want me to explain further in detail (which I would rather not).......

YES.

Any shared environment adds to the risk to every site on the server. This includes shared web host, but also VPS host as well. Does not matter how good you've configured the setup... The risk is there. You can limit the risk, but never to a complete zero (never as good as a dedicated).

Their statement is generally correct, except Apache isn't the root of all evil. They are forgetting MySQL, PHP, WHMCS, Xen, OpenVZ, Cpanel with WHM, and there are other routes one could use to compromise a shared environment.

A complete dedicated environment has the least risk, when properly secured.
 

MichaelDance

Well-known member
#16
I'm going to get a lot of heat for this comment and perhaps others will want me to explain further in detail (which I would rather not).......

YES.

Any shared environment adds to the risk to every site on the server. This includes shared web host, but also VPS host as well. Does not matter how good you've configured the setup... The risk is there. You can limit the risk, but never to a complete zero (never as good as a dedicated).

Their statement is generally correct, except Apache isn't the root of all evil. They are forgetting MySQL, PHP, WHMCS, Xen, OpenVZ, Cpanel with WHM, and there are other routes one could use to compromise a shared environment.

A complete dedicated environment has the least risk, when properly secured.
True mate however what I do say dedicated servers aren't fully the most reliable to security unless it's a Xen dedicated with Litespeed or Varnish and CSF. But even the secure servers can be hacked.

Oh and forgot this I recommend you have cloudlinux and cloudflare protection.