Threaded Mode | Linear Mode

bobocat · 05-05-2012, 10:50 AM

(05-05-2012 10:47 AM)jwwicks Wrote: Oh it gets worse, some of those session files are rw-r-r you can head the contents...

Wow guess what it's wordpress with a cart session and its a different user account I use.

I'm no security guru, but
Put that together with domain, user etc... and you have a session hack I'd think.

Jw

That was exactly my point... and before they started forcing home folder permissions, some files were readable by others on your machine if you knew the path. Combine that with the info in the /tmp dir, and the SQL domains, and the fact that some people's usernames are the same as their domain names, or similar... you can put that all together and guess /home/user/domain.com/wordpress/wp-config.php

from there, you take those database details and go to domain.com/dh_phpmyadmin and pwn! you've got the whole database....

anyway...

jwwicks · 05-05-2012, 10:56 AM

(05-05-2012 10:45 AM)bobocat Wrote: Wow, still works for you? I guess they just turned it off for me

I don't think they'll get rid of the recoverable SQL passwords because they are stored in plaintext in your account anyway, and there is an automatic door installed where anyone can try to brute-force into your database (add dh_phpmyadmin to any of your domains).

For that reason, SQL passwords/users should be as long and complex as possible.

Yeah still works... Though if Andrew is paying attention he might kill it for me too Smile

Still scarry.

Yeah I'd have to agree with tomtavoy on this one item. I don't use phpMyAdmin and I should be able to nuke it. If I need MySQL access I enable the IP in the control panel, connect with Eclipse or MySQL Workbench over SSH, get done and remove the IP access.

All my passwords are 15+ characters and auto-generated so I'm with you on that one.

Jw

ronthai · 05-05-2012, 11:24 AM

I AM HAPPY, 6 years now, had problems but easy solved.

but then I just got home safe and ... (no police stopped me)

DH is not perfect, but better then most, IF NOT ALL, others for the same price.

Can we PLEASE have some more complaining in this forum.
It makes me so happy.

DH, you rock

OHH, I pay $.8.95 a month, but I want service for $895.00 a month ( or more)

jwwicks · (This post was last modified: 05-05-2012 12:05 PM by jwwicks.)

(05-05-2012 11:24 AM)ronthai Wrote: I AM HAPPY, 6 years now, had problems but easy solved.

but then I just got home safe and ... (no police stopped me)

DH is not perfect, but better then most, IF NOT ALL, others for the same price.

Can we PLEASE have some more complaining in this forum.
It makes me so happy.

DH, you rock

OHH, I pay $.8.95 a month, but I want service for $895.00 a month ( or more)

Not sure where the sarcasm is being directed, probably OP, but I pay way more than $9/mo. 3 DS, 4 VPS and 100+ shared accounts. Just saying...

Who's complaining, not me. I'm just learning some more security issues with DH shared hosting. Notice I'm still here using DH cause I love their support of non-profits, but I'm no yes sir can I have another fan boy either.

Jw

tomtavoy · 05-11-2012, 02:11 PM

(05-05-2012 11:24 AM)ronthai Wrote: ...

Can we PLEASE have some more complaining in this forum.
It makes me so happy.

...

Ignoring your sarcasm, there is room for improvement in the Dreamhost password recovery mechanism,

for example, by allowing users to pre-configure their own mechanisms

... so that a user who mistrusts channel X can ensure that channel X is not used for password recovery, and another user, who likes channel X, can ensure that channel X is used

(where X equals email, for example, or SMS, or security question).

Still, when this thread began, Dreamhost did not have a leg to stand on (in this area of password recovery). Now they do. There are probably more important things for them to be attending to at present.

~Tom

bobocat · Yesterday, 04:07 AM

(05-11-2012 02:11 PM)tomtavoy Wrote: ... so that a user who mistrusts channel X can ensure that channel X is not used for password recovery, and another user, who likes channel X, can ensure that channel X is used

(where X equals email, for example, or SMS, or security question).

You can do this yourself. Don't trust your email? Enter an invalid email address.

tomtavoy · Yesterday, 05:41 AM

Surely you are joking. Entering an invalid email address would mean losing billing renewal info, whois notifications etc etc and would basically destroy the account!

Or are you making some subtle point along the lines of "if you trust email for billing info, then why don't you trust it for password recovery"?

Well I think there are good answers to that question, but as I'm not sure if that is the point you are making, I'll defer consideration for the moment.

~Tom