undefined | Better HN

0 pointsxinsight16y ago0 comments

Indeed. If you use shared web hosting (like Bluehost) there are often hundreds of other websites running on the same server. It is trivial to write a script that runs with the permissions of the webserver to snoop other websites' files. Read the config files (wp-config.php in the case of Wordpress) and you can then access the database directly and wreak major havoc.

0 comments

3 comments · 1 top-level

andfarm16y ago· 2 in thread

Note that this is only true if your host is running PHP using mod_php or similar, and they don't have safe_mode configured properly.

xinsightOP16y ago

A perl script running via cgi could do it, no?

andfarm16y ago

Unless your host is incredibly dumb and doesn't have suexec enabled [1], CGI scripts run as their owner [2].

[1] And, if they don't, you should run away. Fast.

[2] The actual rules are a little more complex than that, but that's what it comes down to.

j / k navigate · click thread line to collapse