The Importance of Security Issues

[Purrsonality Designs]

Hi

I'm an Aluminium Reseller and one of my clients' guestbook (Advanced Guestbook 2.2) was hacked via a SQL injection vulnerability last week. This granted the attacker administrator access and prevented me from logging into admin to remove the extremely offensive and obtrusive scripts/html.

I contacted IM support as soon as I became aware of the problem and I was then asked to lodge a support ticket via email. This ticket went unanswered for around 15 hours. The response I received was less than satisfactory, indicating that "the pw stored in the program is encrypted. I have no idea where or how this would be decrypted and the administration program for the script is useless. I'm not sure there's much more we can do on this end." This would lead one to believe that the only remedy was to delete the DB in it's entirity and start again.

Luckily in the meantime, I had done some online research regarding Advanced Guestbook hacking - apparently, the attack is very simple and consists of inputting a password string (which I was able to find online but for obvious reasons won't repeat), leaving the username entry blank. Fortunately, I was able to re-enter this pw to gain admin access and rectify the damage. I also discovered that this attack could have been prevented if packages/accounts had been upgraded to Advanced Guestbook 2.3.1.

I know on the grand scale of things that guestbooks aren't of major importance but I believe that any breach of security which is brought to your attention should be taken very seriously, given high priority and researched. For around 10 of my client's, the guestbook is their primary source of feedback and needless to say, having guestbook pages displaying obscene or offensive images/material is completely unacceptable.

In the past I have had nothing but praise for HostGator support but I felt it necessary to voice my concern regarding this incident. I believe HostGator should be working harder to address and improve matters of security.

Arna

[GatorBrent]

Our servers are secure, however, we cannot prevent the scripts you use from being hacked since it is up to you to be on the most up to date version. We use fantastico and Cpanel. They keep software versions up to date for us, however, it is impossible to update every script when a new version comes out on our site. Nor would we be able to go through everyone's ftp looking at every script updating them to the latest versions for them.

I'm sorry for your problems, but script security is up to the webmaster, not the host.

[Purrsonality Designs]

Quote:

Nor would we be able to go through everyone's ftp looking at every script updating them to the latest versions for them.

:roll:

I understand where you are coming from in relation to customer sourced/installed scripts however, the script I am referring to is included in CPanel.

As stated by another hosting provider "cPanel now has 2.3.1 version of the Advanced Guestbook available, so you should use that to install or upgrade your existing advanced guestbook installation" (source: http://www.totalchoicehosting.com/fo...=0&#entry65560)

I have accessed the cpanel of the client whose guestbook was hacked and this upgrade option is not available. I can only assume therefore, that Host Gator is not running the updated version of CPanel.

CPanel has done it's job by addressing the vulnerability in a script they provided and have updated accordingly. It is HostGator's responsibility to ensure that the current version of CPanel is available to it's subscribers.

[Archertech]

About the latest CpAnel ...

I would have to agree ... for some time we were running Cpanel 9.3 and then went back to 9.25 ...

Important to note that in the version of cpanet that is being used currently .... there was a security issue with Exim ... that is why most hosts updated to 9.3. but why we rolled back ... is beyond me ...

[GatorBrent]

The problem with cpanel is that they never release a stable version without bugs. When you upgrade 100 things usually break. You have to do tradeoffs. If we downgraded that means there was a major problem with the version being used and had to revert back.


Cpanels a mess with stable versions, and until they release something worthwhile we stay away from upgrading (breaking) things. We ask everyone to use the scripts in fantastico since we keep them on auto update.