3

I was reading Essential PHP Security and chapter 8 talks about problems with hosting your PHP app in a shared hosting environment.

Some of the problems he mentions are:

- Exposed source code and File system browsing.

a web server must be able to read the source code in order to execute it. Since the web server is shared a PHP script written by another developer on the server can read arbitrary files. An attacker can also create a script that browses the file system.

- Exposed session data and Session injection.

By default, PHP stores session data in /tmp which is writable by all users, so Apache has permission to write session data there. A simple script can allow other users to read, add, modify, or delete sessions.

It's like everything is exposed and vulnerable if I used shared hosting this way.

My questions:

  1. Considering the book was published 8 years ago, are they problems still occurring or were they mitigated somehow in the last few years?
  2. Why would one opt for shared hosting if it going to cause these huge security concerns?
  3. I understand that shared hosting is cheap, but there must be a safer alternative to it and cheaper than dedicated hosting?
  4. In case a customer ask me to develop an application that will be hosted on a shared hosting, is there a full proof way to develop a secure application or is it just a recipe for disaster?
Improve this question
2
  • Can you give more detail on the problems the author describes? They all sound solvable with proper configuration, it's hard to say without more detail.
    – Daniel Lubarov
    Commented Aug 21, 2013 at 18:29
  • @Daniel I'll post some summary to each point.
    – Songo
    Commented Aug 21, 2013 at 18:35

3 Answers 3

Reset to default
2

1) Considering the book was published 8 years ago, are they problems still occurring or were they mitigated somehow in the last few years?

File system browsing can be disabled by suitably competent hosting services. I know the couple of shared hosting accounts I still have do not let you browse files outside of your own directory. Also, leaked session data is a non issue - put that in a database where it belongs.

2) Why would one opt for shared hosting if it going to cause these huge security concerns?

Historical context - 8 years ago VPS hosting was just getting ramped up. The two primary options were shared hosting and didicated machines. And obviously dedicated machines were much more expensive than shared hosting. So... a lot of people went with shared hosting.

3) I understand that shared hosting is cheap, but there must be a safer alternative to it and cheaper than dedicated hosting?

No, 8 years ago there really wasnt. Not at that particular price point. VPS hosting now is much cheaper, and thats basically taken over.

4) In case a customer ask me to develop an application that will be hosted on a shared hosting, is there a full proof way to develop a secure application or is it just a recipe for disaster?

No. There is no 'fool proof' way to do this on shared hosting, ... or dedicated hosting. I would, though, recommend VPS hosting over shared hosting. This puts the responsibility on the developer to secure the machine, but also allows the developer to install any needed software and extensions.

Shared hosting can be fine. While there are theoretical problems, consider too that the people setting up the machines are likely much more competent at securing them than your average PHP hack would be. And in all honesty, if there's a security problem, its far, far more likely to be due to a flaw in PHP code than server setup.

Improve this answer
2
  • Actually, the neat thing is that most hosting companies will offer to configure the VPS for you (free or for a small price) with whatever software you need/want. They'll clearly do a better job than the average developer. If you can afford it, a VPS is the way to go.
    – Radu Murzea
    Commented Aug 21, 2013 at 19:04
  • The "modern" form of a VPS is a "cloud" - like EngineYArd, Zend PHP cloud, Google AppEngine or many smaller vendors.
    – johannes
    Commented Aug 24, 2013 at 1:55
0

Partial answer:

2) Because it's the cheapest available option; and for people who either don't know about the risks or don't care because they don't feel anything they have is worth the extra cost to secure it there's no reason not to.

3) Virtual Private Servers (VPS) sit between shared and dedicated hosting in price. What you get is a VM to install your own web/db/etc servers on. At the low end I've seen them for as little as $10/month which is not much more than a cheap shared account. For that price you're getting a very minimal amount of resources on a server with a large number of other VPSes running on it; but the same is true of any low cost shared hosting. At higher prices you can get larger shares of server resources and more support until you're blurring the line between a large VPS and a low end dedicated server (ex atom, celeron, etc).

4) Even a dedicated server isn't full proof in that it could be hacked; but I can't give you any specific advise in hardening a shared account.

Improve this answer
0

Partial answer:

By default, PHP stores session data in /tmp which is writable by all users, so Apache has permission to write session data there. A simple script can allow other users to read, add, modify, or delete sessions.

This is true, but there are workarounds - you can change session.save_path to something in your home directory, or store session data in a database instead.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.