I'm less interested in how vulnerable Bluehost and Dreamhost are (of course they are), and more interested in how good a writeup this is about finding variants of and then weaponizing a handful of vulnerabilities most pros would write off as sev:lo hygiene bugs. The form POST as JSON is particularly cute. This is pretty great.
Here's a quick breakdown:
1. Autogenerating CORS headers based on a regexp that can be tricked into allowing <safe.org>.evil.org.
2. A form POST encoded text/plain that gets interpreted as JSON to bypass CSRF check.
3. Using CORS origin check gaps to do an HTTP downgrade.
4. XSS-ATO by email address changes (this is pretty vanilla).
5. Sending “token[]=” to break PHP CSRF token check through type confusion.
6. Breaking a different CORS generator by smuggling the whitelisted domain into a ?urlparam=safe.org.
7. Setting content-type=text/plain; application/json to fake out browser check for JSON and bypassing CSRF at OVH.
8. Some fiddly and not super interesting CSP bypasses.
These seem to have been "technical" bugs, mostly in the client-server communication of the self-service websites.
But hosting management also has a whole lot of potential for logical errors. I work at a B2B ISP that is also a managed service provider, and every now and then somebody calls for more self-service. I'm not against it, but it's full of landmines.
It starts with such simple things as account creation. We allow accounts with the appropriate roles to be used for several different customers, which means we cannot namespace them by tenant.
We used to give accounts usernames based on the first and last name, but that makes it very easy to leak which other accounts exists (when "John Doe" becomes "johndoe4" instead of just "johndoe", you can infer the existence of other accounts, and thus that other "John Doe"s are among our customer base). We had to change that, which isn't as easy as it sounds for a company that has been doing things a certain way for 25 years.
Potential logic errors and information leaks lurk in all places where you cannot namespace things because they are not fully under your control, which can be IP addresses (big customers bring their own address spaces, and IPv4 address space is too small for generous segmentation), Domains, email addresses, phone numbers and so on.
Are the old hosting companies of the past still sharing the same disk with other users? I remember going cd .. and seeing a bunch of folders in /home from other users. If any one of those users used a chmod incorrectly I would be able to access their shit. It is not super likely for most files but well known files can be a problem. Beyond that, trusted CGI-BIN processes could probably be used to get around security concerns (takes some work). I've been wondering if many of these FTP/SSH/Hosting sites have since moved to docker or some containerization tech.
All this assuming the hacker would use a gift card to get a paid account to start.
I have a shared hosting account with Dreamhost. A while back I went looking for accessible stuff under other user's accounts. It was fairly easy to find both readable and writable directories.
This was a while ago so I don't know if they found a solution. User home directories are private but you can easily guess common paths under them (eg wordpress).
I know of a legacy hosting solution that uses shared disks, but they also use a chroot wrapper for the sftp access to make sure a misuse of chmod doesn't leak data to other customers.
Allowing executable code (CGI, PHP) in such an environment is just a recipe for trouble.
Dreamhost had the best response of all of them (at the bottom of the article).
Anecdotally, I've used Dreamhost for years as a domain host and have had nothing but positive experiences.
Originally I switched to them for being very vocally against SOPA, and they've consistently been on the right side of various Internet legislative issues.
I've been with Dreamhost personally for almost two decades, and as a group my friends have a shared account with them that's far older. Like, old enough that work was done on porting code to _the brand new PHP3_.
They do seem like good people, I have no plan to move my own stuff from Dreamhost and I can't fault their customer service, but I also cannot recommend for stuff beyond vanity domains, fun side projects and so on because they've had so many issues that suggest a lot of stuff is kind of half-arsed. My home Internet service provider is also good hearted, but they've also been very _competent_ which is important, and I just can't honestly say that about Dreamhost.
Three (of many) Examples:
I own a .co.uk domain, and the people who run .co.uk have different requirements for WHOIS and for how domain transfers work. So Dreamhost would present me a generic "Here's how to change WHOIS" page and then it'd mysteriously fail, but actually their backend just didn't work with that entire 2LD, and domain transfer stuff would not work or it'd seem to work but then payment was rejected and the transfer doesn't go through...
I made a DNS change through Dreamhost's control panel, and after a reasonable period of time (maybe an hour?) of Dreamhost's three authoritative DNS servers only one had updated. So I talk to their support. They say I need to wait for it to "propagate" which is bullshit, these are authoritative servers, "propagating" data to the authoritative servers is Dreamhost's problem and if they can't do it in an hour what are they using, carrier pigeons? Then the support person shows me dig results they see locally for those DNS servers which don't match results I see, showing that actually these servers are either split brain or anycast groups, I ask about that, and the tech assures me that no, the answers they see are correct and that answers I see, by literally querying the same IP addresses, must need to "propagate" for a few hours more. After enough prompting they relent and say they'll "check" with someone about the DNS servers. Literally under 60 seconds after going to "check" the results are fixed. Huh, what a "coincidence".
Most hilariously one time they charged me for a year in advance entirely by accident, someone fat fingered a script that takes money from customer accounts. Now, like I said their customer service is good, I got the money refunded together with my costs for the currency difference between when they took the bogus transaction and when it was refunded rounded up. But if I had a $5000 contract that'd have hurt a lot more than it did for a few vanity sites.
I wish they had kept going till they found a web hosting firm that didn't have these issues. Can anyone -- not affiliated with such a firm -- recommend one?
If you are affiliated with such a firm, and you respond anyway, please explain what you do differently.
I'm the founder of https://KubeSail.com (YC S19) - we're building a Cloud Hosting platform for human beings built on the back of Kubernetes. We want to make Kube accessible to ordinary people trying to get work done - but at the same time offer the "right path" for developers who know they want real tools, not black-boxes. We're a deployment platform you'll never outgrow! The idea is to allow even junior developers to build powerful cloud-native apps with zero lock-in from day 1. We're also building a template system to help people share server apps with each other (ie: you can launch a dokuwiki https://kubesail.com/template/erulabs/dokuwiki/ with one click). We have a ton to build and big plans, and have not publicly launched, but please let me know what you think! The site is live and free for GitHub users! We consider ourselves the non-ops Kubernetes tool - or to put it another way, GitHub is to Git as KubeSail is to Kubernetes
We're working really hard on securing multi-tenant Kubernetes clusters and have some tricks up our sleeves from years in the cloud industry, but we have not yet completed any external audits - that said, as the CTO, I take security _extremely seriously_ and consider it my number 1 priority, if that helps! We use tech like containerd, gvisor, eBPF and lots more to secure users containers on our multi-tenant hosting tier.
Factor in that all of these hosts are used primarily for Wordpress hosting(Bluehost is the recommended partner). So, the plausible attack vectors for exploiting these vulnerabilities are plenty via thousands of plugins.
Can attest, having worked at the Bluehost brand as a tier 2 chat support (before they shut down everything and offshored all support to the Indian CEO's family's Indian call center).
The company is a fucking nightmare. ALL EIG brands should be avoided like the plague including Constant Contact, site5, bluehost, hostgator, fastdomains, justhost, hostmonster, ipage, NetFirms, UnifiedLayer, IpowerWeb, PowWeb, ResellerClub, HostNine, HostCentric, Domain.com, Dotster, Verio, AppMachine, Arvixe...etc...
They have horrible security. Hacked sites were the norm not the exception. The techs we had were decent, but when things started off-shoring the off-shore tech's were complete idiots who couldn't figure out how to add space to a VPS...That was in 2015, I'm sure now it's way worse. I left in 2014/2015 to do development full-time, my wife worked there till they shut down their Orem, UT operations.
We had friends who they actually got to move to AZ to work w/ hostgator during the transition, and then fired 3 months later after they didn't need them anymore and AFTER they'd already bought a house in AZ... real pieces of shit there...
The CEO even said 3 weeks before everyone got the notification they were being canned "Don't worry your jobs are all safe, nobody's getting laid off" ...lmao
Would setting samesite cookie values have mitigated Bluehost's problems 1 and 2 in part? Or do CORS requests include cookies for compatibility purposes?
SameSite cookies are never sent on CORS requests (not even when the server explicitly allows CORS requests with credentials [1]).
In other words: yes, it would have mitigated Bluehost's problems. It would also have broken their sites (or otherwise they would not be needing to use CORS requests at all).
I think everyone need to remember CORS is a browser-only protection and anything you expose via CORS protected endpoint in reallity has no protection at all. Try cURL reaching any endpoint protected by CORS and you'll see what I mean.
Also browsers automatic sending cookie enable many of these CSRF, consider JWT.
If you've taken the time to understand things well, you'll do just fine, even with PHP. Otherwise, the quirks of any language/library/tool may catch you out (it's not just a PHP thing).
Lots of people seem to have anticipated these results! So, is it OK now that for low-volume static sites I've just thrown everything on S3? How about adding in lambda and SQS for low-volume almost-static sites? Is it still terrible that I've wasted cents per month on these services?
Thank you for reaching out to Bluehost via our press@ email address; as a brief introduction, I am writing you from Endurance International Group, parent company to Bluehost and several other web hosting services. In regards to your questions for how to best protect your website, one of the best things you can do to invest in your business is to acquire web security, something like Sitelock, to protect you from malware. Below you will find the following: i.) article from Sucuri.net explaining more about website security, and ii.) information to speak to Bluehost representatives more in depth about our partnership with Sitelock and help you set up that addon service, if this is what you wish.
The good news is that these require a successful phishing attack, which is the number one way of getting hacked. Best to never click on any links in email.
I disagree. It's very easy to make such mistakes, often even to miss them in code review. You also cannot simply cover all potential errors in integration tests, because there are infinitely many potential errors you can make.
You need continuous or regular red-teaming or comparable security controls to reliably avoid such things, and you typically only have those at the really big and high-tech companies, or in highly attacked or regulated environments.
- Not performing a task that isn't explicitly committed to in the service description or contract. If something is left unsaid, that it isn't happening.
- Not performing a task that they aren't solely accountable for. If you "share" a responsibility, it is your responsibility.
[+] [-] tptacek|6 years ago|reply
Here's a quick breakdown:
1. Autogenerating CORS headers based on a regexp that can be tricked into allowing <safe.org>.evil.org.
2. A form POST encoded text/plain that gets interpreted as JSON to bypass CSRF check.
3. Using CORS origin check gaps to do an HTTP downgrade.
4. XSS-ATO by email address changes (this is pretty vanilla).
5. Sending “token[]=” to break PHP CSRF token check through type confusion.
6. Breaking a different CORS generator by smuggling the whitelisted domain into a ?urlparam=safe.org.
7. Setting content-type=text/plain; application/json to fake out browser check for JSON and bypassing CSRF at OVH.
8. Some fiddly and not super interesting CSP bypasses.
[+] [-] ncc-erik|6 years ago|reply
It's usually a lot easier to write the PoC with fetch() though.
[+] [-] perlgeek|6 years ago|reply
But hosting management also has a whole lot of potential for logical errors. I work at a B2B ISP that is also a managed service provider, and every now and then somebody calls for more self-service. I'm not against it, but it's full of landmines.
It starts with such simple things as account creation. We allow accounts with the appropriate roles to be used for several different customers, which means we cannot namespace them by tenant.
We used to give accounts usernames based on the first and last name, but that makes it very easy to leak which other accounts exists (when "John Doe" becomes "johndoe4" instead of just "johndoe", you can infer the existence of other accounts, and thus that other "John Doe"s are among our customer base). We had to change that, which isn't as easy as it sounds for a company that has been doing things a certain way for 25 years.
Potential logic errors and information leaks lurk in all places where you cannot namespace things because they are not fully under your control, which can be IP addresses (big customers bring their own address spaces, and IPv4 address space is too small for generous segmentation), Domains, email addresses, phone numbers and so on.
[+] [-] BlueTemplar|6 years ago|reply
[+] [-] rhacker|6 years ago|reply
All this assuming the hacker would use a gift card to get a paid account to start.
[+] [-] ummonk|6 years ago|reply
[+] [-] driverdan|6 years ago|reply
This was a while ago so I don't know if they found a solution. User home directories are private but you can easily guess common paths under them (eg wordpress).
[+] [-] perlgeek|6 years ago|reply
Allowing executable code (CGI, PHP) in such an environment is just a recipe for trouble.
[+] [-] optimiz3|6 years ago|reply
Anecdotally, I've used Dreamhost for years as a domain host and have had nothing but positive experiences.
Originally I switched to them for being very vocally against SOPA, and they've consistently been on the right side of various Internet legislative issues.
[+] [-] tialaramex|6 years ago|reply
They do seem like good people, I have no plan to move my own stuff from Dreamhost and I can't fault their customer service, but I also cannot recommend for stuff beyond vanity domains, fun side projects and so on because they've had so many issues that suggest a lot of stuff is kind of half-arsed. My home Internet service provider is also good hearted, but they've also been very _competent_ which is important, and I just can't honestly say that about Dreamhost.
Three (of many) Examples:
I own a .co.uk domain, and the people who run .co.uk have different requirements for WHOIS and for how domain transfers work. So Dreamhost would present me a generic "Here's how to change WHOIS" page and then it'd mysteriously fail, but actually their backend just didn't work with that entire 2LD, and domain transfer stuff would not work or it'd seem to work but then payment was rejected and the transfer doesn't go through...
I made a DNS change through Dreamhost's control panel, and after a reasonable period of time (maybe an hour?) of Dreamhost's three authoritative DNS servers only one had updated. So I talk to their support. They say I need to wait for it to "propagate" which is bullshit, these are authoritative servers, "propagating" data to the authoritative servers is Dreamhost's problem and if they can't do it in an hour what are they using, carrier pigeons? Then the support person shows me dig results they see locally for those DNS servers which don't match results I see, showing that actually these servers are either split brain or anycast groups, I ask about that, and the tech assures me that no, the answers they see are correct and that answers I see, by literally querying the same IP addresses, must need to "propagate" for a few hours more. After enough prompting they relent and say they'll "check" with someone about the DNS servers. Literally under 60 seconds after going to "check" the results are fixed. Huh, what a "coincidence".
Most hilariously one time they charged me for a year in advance entirely by accident, someone fat fingered a script that takes money from customer accounts. Now, like I said their customer service is good, I got the money refunded together with my costs for the currency difference between when they took the bogus transaction and when it was refunded rounded up. But if I had a $5000 contract that'd have hurt a lot more than it did for a few vanity sites.
[+] [-] omarhaneef|6 years ago|reply
If you are affiliated with such a firm, and you respond anyway, please explain what you do differently.
[+] [-] erulabs|6 years ago|reply
We're working really hard on securing multi-tenant Kubernetes clusters and have some tricks up our sleeves from years in the cloud industry, but we have not yet completed any external audits - that said, as the CTO, I take security _extremely seriously_ and consider it my number 1 priority, if that helps! We use tech like containerd, gvisor, eBPF and lots more to secure users containers on our multi-tenant hosting tier.
[+] [-] bhhaskin|6 years ago|reply
Not affiliated, but worked with some high profile sites on there.
[+] [-] judge2020|6 years ago|reply
[+] [-] sneak|6 years ago|reply
[+] [-] Abishek_Muthian|6 years ago|reply
[+] [-] ghostbrainalpha|6 years ago|reply
"Endurance, who runs Bluehost, iPage, and HostGator:"
[+] [-] gremlinsinc|6 years ago|reply
The company is a fucking nightmare. ALL EIG brands should be avoided like the plague including Constant Contact, site5, bluehost, hostgator, fastdomains, justhost, hostmonster, ipage, NetFirms, UnifiedLayer, IpowerWeb, PowWeb, ResellerClub, HostNine, HostCentric, Domain.com, Dotster, Verio, AppMachine, Arvixe...etc...
They have horrible security. Hacked sites were the norm not the exception. The techs we had were decent, but when things started off-shoring the off-shore tech's were complete idiots who couldn't figure out how to add space to a VPS...That was in 2015, I'm sure now it's way worse. I left in 2014/2015 to do development full-time, my wife worked there till they shut down their Orem, UT operations.
We had friends who they actually got to move to AZ to work w/ hostgator during the transition, and then fired 3 months later after they didn't need them anymore and AFTER they'd already bought a house in AZ... real pieces of shit there...
The CEO even said 3 weeks before everyone got the notification they were being canned "Don't worry your jobs are all safe, nobody's getting laid off" ...lmao
[+] [-] judge2020|6 years ago|reply
[+] [-] kilburn|6 years ago|reply
In other words: yes, it would have mitigated Bluehost's problems. It would also have broken their sites (or otherwise they would not be needing to use CORS requests at all).
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Ac...
[+] [-] durbatuluk|6 years ago|reply
Also browsers automatic sending cookie enable many of these CSRF, consider JWT.
Amazing how PHP is still bitting developers.
[+] [-] osrec|6 years ago|reply
[+] [-] kyle-rb|6 years ago|reply
[+] [-] jessaustin|6 years ago|reply
[+] [-] joshdance|6 years ago|reply
[+] [-] joshdance|6 years ago|reply
Hello Joshua,
Thank you for reaching out to Bluehost via our press@ email address; as a brief introduction, I am writing you from Endurance International Group, parent company to Bluehost and several other web hosting services. In regards to your questions for how to best protect your website, one of the best things you can do to invest in your business is to acquire web security, something like Sitelock, to protect you from malware. Below you will find the following: i.) article from Sucuri.net explaining more about website security, and ii.) information to speak to Bluehost representatives more in depth about our partnership with Sitelock and help you set up that addon service, if this is what you wish.
i.) https://sucuri.net/guides/website-security/ ii.) 888-401-4678 | https://helpchat.bluehost.com/
Kind regards,
Jacob Endurance International Group
[+] [-] strictnein|6 years ago|reply
[+] [-] x__x|6 years ago|reply
https://en.wikipedia.org/wiki/Endurance_International_Group
[+] [-] poxrud|6 years ago|reply
[+] [-] marmot777|6 years ago|reply
[+] [-] EricE|6 years ago|reply
[+] [-] perlgeek|6 years ago|reply
I disagree. It's very easy to make such mistakes, often even to miss them in code review. You also cannot simply cover all potential errors in integration tests, because there are infinitely many potential errors you can make.
You need continuous or regular red-teaming or comparable security controls to reliably avoid such things, and you typically only have those at the really big and high-tech companies, or in highly attacked or regulated environments.
[+] [-] Spooky23|6 years ago|reply
Always assume that service providers are:
- Blithering idiots until proven otherwise.
- Not performing a task that isn't explicitly committed to in the service description or contract. If something is left unsaid, that it isn't happening.
- Not performing a task that they aren't solely accountable for. If you "share" a responsibility, it is your responsibility.
[+] [-] rafaelvasco|6 years ago|reply
[+] [-] js4ever|6 years ago|reply
[+] [-] _bxg1|6 years ago|reply