Security News – Dec. 28 2007

Filed under General | Leave a Comment

The following is a summary of new script vulnerabilities that are classified as severe and may affect server owners. More details are available at US-CERT

  • Falcon Series One CMS v1.4.3 – Multiple cross site scriptiing vulnerabilities.
  • FreeWebShop v2.2.1 – Multiple SQL injection vulnerabilities.
  • MKPortal v1.1 RC1 – SQL injection vulnerability.
  • my123tkShop v0.9.1 e-Commerce-Suite – SQL injection vulnerability.
  • PHP Real Estate Classifieds – SQL injection vulnerability.
  • phpMyRealty v1.0.9 – Multiple SQL injection vulnerabilities.
  • phpRPG 0.8 – Multiple SQL injection vulnerabilities.
  • xeCMS v1.0 – Directory traversal vulnerability.

Have You Been Shafted By Your Web Host?

Filed under General | 1 Comment

I often hear horror stories about hosts that have draconian AUP enforcement policies. It’s well worth finding out what the terms are before you decide on a web host. Don’t be surprised if they all look fairly bad though because when it comes to breaches of AUP, regardless of whether you are responsible or your server has been breached, your host will probably have little sympathy. Most web hosts will either shut your account down straight away or give you a short time to remove your files. They would much rather that you became someone elses problem than theirs.

I think that’s a little bit silly though. It just means that the site owner is going to take his/her same problems to a different server. It would be nice to see some web hosts be a little more pro-active with regard to security. As I’ve mentioned elsewhere, with most dedicated servers you get a stock standard setup. No firewall and fairly mediochre security in general.

Of course we could say that it’s the responsibility of the server leasee but let’s face it, the majority of people leasing dedicated servers are doing that to help their business…not to become unix geeks. So it’s safe to assume that most  people who have a dedicated server probably wouldn’t even know the simple tasks such as looking at the server logs. If you are going to market your product to a general public who don’t know how to maintain that product then surely you should at least be providing a basic service or recommendations with regard to hiring someone to manage the server(s).

There’s often a ‘managed server’ option but in my experience most managed services are quite costly whilst still only providing basic service.

Do you have any horror hosting stories where you felt your host dropped the ball or treated you unfairly?