Welcome to my unobtrusive blog!
By default I blog in english but there is also german content.

Servage security issues

October 15th, 2008 Posted in english

Servage is a big internet service provider that offers webhosting for the mass and for quite some time I used it because I thought that the price is ok for what they offer and for what I need. What I noticed throughout the whole time I was a servage customer is the lack of speed. You always have busy web and mysql servers which are in general on high load or unavailable but that’s not the point here.

My point here is that Servage has several security issues they are not willing to listen nor to fix it.

Servage probaly faced security problems with their login form in the past so they implemented a captcha mechanism which is basically a scrambled graphic with letters the user has to identify and enter into a textbox beside username and password to successfully login to the servage control panel.

This is how the theory describes the process but in practice this shit doesn’t work. In fact if you enter the captcha correctly your login _will_ fail. If you enter _no_ captcha at all, your login will _succeed_ :).

Another issue is when you decide to register an international domainname (idn) with special characters in its name. The good thing is that you can successfully add such a domainname to the servage control panel but you can’t use mail nor any other service with it and if you decide to delete this domainname from your portfolio you can’t :). If you click on “Remove Domain” a window pops up and asks for confirmation but it won’t delete it from the control panel.

Another big issue imho is the behaviour when you are adding a new virtual host or adding a new existing domainname because Servage uses by default the option to turn on register_globals for every newly added vhost which can be a big problem for you as the “webmaster” if you aren’t aware of this and using php.

What’s worse is that the enemy exploiting this issue or wrong setting isn’t someone grepping the web for websites to be exploitable but a user on the same server which is a customer of servage itself.

You simply have to produce a script error which gets indexed by google. So what’s the catch you might think…the catch is that you can identify parts of the directory structure servage is using on their servers and you simply have to search for it via google. So if you e.g. search for “/mounted-storage/home105a” which is a directory name you can easily find via a simple php script that uses the “system” command (system(”ls /”) etc…HINT: you have to turn php-safe-mode off to make this work, servage allows it), you will find several results listing websites that have faulty php scripts running outputting some sort of error which in most cases also includes the full path to the script that errored.

Now that servage customer or the script kiddie simply have to change to that directory (with the opensource php shell e.g.) he extracted from the errormessage before and read that php file…yes…he is allowed to read that file…the default rights allow any user to read your files _if_ they know where they are located. You can’t cd to “/mounted-storage/home105a” e.g. but you can cd to “/mounted-storage/home105a/sub006/sc4711-LCNB” where the last part seems to be a unique-identifier nobody should be able to find out but I as I’ve shown you it’s simple to.

The script kiddie now can easily inspect your file and look for exploits which is easy as you have register_globals turned on by default. Even worse if you set the wrong permissions the scriptkiddie can create new files or at least edit the existing one.

When I searched at google I found a lot of websites already being hacked or defaced and guess where they were hosted at…servage…

In my time as a customer of servage they moved my complete account twice to a complete different cluster and I now know why. Because of compromised systems.

I asked Servage to set register_globals to off by default but the guys you are talking to at the support are slaves with no rights. They aren’t the decision makers apparently so no luck at all.

In fact I asked for many things like an update to dbd::mysql which is still version 3.x something or to fix the captcha problem, or to fix the security issues etc.

I now cancelled my account at servage because it’s a big security hole at all. I don’t need that.

follow comments via rss

  1. 7 Responses to “Servage security issues”

  2. By Shannon on Oct 18, 2008

    :S

    I don’t know if their credit card security is all part of their looney bin.

    But if your card belongs to you, you might not actually get any service either. (this can be good after all!).

  3. By servage_user on Nov 6, 2008

    Regarding the captcha mechanism;

    Last night i was logging into my account when i suddently found my self administrating another persons account.. Pretty scary i thought to my self, and chose to warn servage crew about the problem.. But did they listen? Oh no, there was no problem at first.. Then they asked me if i could change mye password (but for what?).. And at last they told me they would check the security at a later point. What? I gave up! At this time i am cleaning up my shit and will find another webhotel.

  4. By Stoker on Nov 20, 2008

    I have experienced the exact same problem as above: “By servage_user on Nov 6, 2008″

    I created a support ticket and included a screenshot.
    This was the answer:
    “It can happen if two users are using the same network and one person do not logout properly. If you logout properly then you can verify that you won’t be able to login to your account without giving the correct password.”

    There is nothing else to say than: AMATEURS
    What are they thinking?!?

  5. By Andreas Schipplock on Nov 22, 2008

    unbelievable :X!

  6. By Phil on Jan 9, 2009

    Im pretty sure that the servage support system is automated rather than real people. I’ve found if you put words like escalate in your email you often get a much more logical response.
    Even with all the problems, I think youre still getting a good deal for the amount you pay.

  7. By Andreas Schipplock on Jan 9, 2009

    I don’t agree on that, Phil.

    For that amount of money you can get a much more solid webhosting provider. Don’t forget that the traffic, bandwidth, webspace, etc… are no real values you can really take into consideration.

    It’s fact that you don’t have 510GB of webspace :). Most of their clusters don’t even have that much space left anymore for _all_ customers on the same cluster. Most clusters are in fact running out of space. If you try to allocate 510GB of webspace I’m pretty sure they will cancel your account.

    And I personally go for a provider that gives me limits I can count on rather than one that says “unlimited” but closes my site unexpectedly because I used more than x GB of their traffic for a day :).

  8. By Dave on Feb 7, 2009

    Servage are awful.
    Downtime, hackings, skim read and copied responses from support, more downtime and more hacking.

    http://blog.lottomad.info/ab-personal-updates/servagenet-hosting-stay-away

    my story

Post a Comment