Teaser: Vladimir vs Hosting Industry

Being a skilled web server system administrator (sysadmin) is challenging. It requires extensive knowledge of Linux, web servers, networks, clouds, programming languages, platforms, frameworks, and security. Due to the lack of experienced sysadmins, many people rely on web hosts or cloud hosting control panels to manage their servers.

Selecting the right provider is difficult because it’s hard to gauge their expertise. I recently evaluated the security of 10 popular providers and services, including SpinupWP, Enhance.com, GridPane, Cloudways, RunCloud, and similar (I estimate that together they run several hundred thousand websites). For each provider, I set up a clean server and deployed multiple websites on it, simulating a scenario where a web agency manages several client websites on a single server.

My objective was straightforward: perform an unauthorized modification of one site on the server from another controlled site, essentially breaking site isolation.

The results were concerning. I successfully broke site isolation in 11 of 12 cases, despite considering myself only moderately skilled in system administration and security. I used only basic techniques that exploit well-known configuration vulnerabilities. For some services, I even found several methods to achieve my objective.

Providers I tested:

Serveravatar – didn’t found the way how to break site isolation (but was able to bypass some default security measures and you have to be very careful with some of the features)
Enhance.com -fixed instantly
InstaWP – fixed
Xcloud.host – fixed
GridPane – fixed most issues pretty quick
Ploi – investigating for 2 months, fix is ready
Cloudways – not fixed after 3 months
RunCloud – investigating few weeks, not fixed yet
FlyWP – investigating more than month, not fixed yet
Cloudpanel – will be fixed in distant future
SpinupWP – feature not a bug
Forge – don’t care

However, the presence of a vulnerable configuration is only one aspect of the problem. The other, potentially more critical issue, is the provider’s response and efforts to resolve the problem. This is where significant differences among the services emerged.

I must admit that this is the first time in my career that I will likely disclose vulnerabilities that may not yet be patched.

This decision stems from some providers’ lack of awareness of the problems. With Cloudways, I spent three months diligently working to address the issue, without any indication that anyone cares. On the other hand, Enhance.com reacted in few minutes, immediately understood the seriousness and fixed the issue in just hours.

I must confess that I was firstly motivated to wait patiently for the vision of a possible high bug bounty in the thousands of dollars. However, even the official bug bounty process seems to be stagnant and may involve additional obligations. Since exploiting site isolation requires control over one of the sites on the server (either a compromised site or a malicious client) and cannot be universally exploited, I determined that disclosing the problem would be most beneficial to users of this and similar services. This approach may prioritize the issue and enable other providers to learn from the vulnerability and secure their systems.

On the bright side, I have greatly improved my ability to explain security issues, and the design of my exploits has also advanced significantly. You can see for yourself (without technical details) in the video below.

In the coming days and weeks, I will begin sharing technical details and approaches to resolving and communicating with individual services. Spoiler: even a Docker doesn’t automatically guarantee security.

To stay informed about these details, consider subscribing to my blog newsletter.

Discover more from Vladimir Smitka

Subscribe to get the latest posts sent to your email.

30 responses to “Teaser: Vladimir vs Hosting Industry”

Anonymous

September 6, 2024 at 9:26 am

FastPanel (fastpanel.direct) is the Panel I really like, please check if they have any security issues or not?

Thank you.

LikeLike

Reply
tchorlton

July 4, 2024 at 4:25 pm

Any chance of looking at Cloudpages.pages? Same team as Server Avatar so I would be interested in seeing the results.

LikeLike

Reply
Anonymous

July 3, 2024 at 5:14 pm

Could you please provide an example code so that I can try it in my Docker container? If the shell() function is disabled, would your script still be executable?

LikeLike

Reply
1. smitka
  
  July 7, 2024 at 5:00 pm
  
  Hi, there are several functions that can call system functions, for example putenv, which is often forgotten. The next part of the series will be out very soon, where I cover this very topic.
  
  LikeLike
  
  Reply
Anonymous

June 27, 2024 at 6:15 am

According to FlyWP, they’ve reached out to Valdimir Smitka and asked about a solution. This is posted in the Questions section on the AppSumo product page, as well as in their Roadmap.

They expect a solution shortly.

Would be nice to hear some confirmation from Vladimir, attesting to this.

LikeLike

Reply
1. smitka
  
  July 7, 2024 at 4:57 pm
  
  Yes, they’ve been in contact with me, but I haven’t found the time to do a thorough check yet. Unfortunately I’ve had to proiritise other projects at the moment over providing free security consultancy…
  
  LikeLike
  
  Reply
  1. Anonymous
    
    July 23, 2024 at 6:14 am
    
    Fair enough, but they say it’s now fixed. So it’s probably best to remove/update the allegation of “unfixed” on your site. Afterall, you threw down the gauntlet.
    
    LikeLike
tyrro

June 12, 2024 at 2:14 am

Great article. I will through in the list of possible candidates for testing the following:

Easypanel.io

Coolify.io

Cleavr.io

Caprover.com

Thank you.

LikeLike

Reply
1. smitka
  
  July 7, 2024 at 5:14 pm
  
  Thanks for the suggestions, I’ll try to explore them in time. I use coolify myself for internal projects, so I’ve already looked at its WP app. There’s a slightly different layout than the services that specialize in WP – coolify simply uses the official WP docker image, where both the webserver and PHP are wrapped in the same container – this means that no port other than 80 is exposed that another docker container could abuse. From a site isolation perspective, this works well. But here I would point out, for example, that with this image the password is passed to the database via environment variables, so if you leave the phpinfo() script accessible on a WP site, the password will leak simply…
  
  LikeLike
  
  Reply
WP Weekly 197 – Core Changes – Project Boards, New Bits Concept, Coming in WP 6.6

June 11, 2024 at 1:50 pm

[…] Hosting Geeks… Vladimir Smitka is testing various hosting services by performing an unauthorized modification on a website in an attempt to break […]

LikeLike

Reply
Anonymous

June 11, 2024 at 7:09 am

lol it’s strange to see Gridpane is on the list. They always talk about security and such things.

LikeLike

Reply
Lax Min

June 9, 2024 at 5:14 am

FlyWP is running a Lifetime Deal at Appsumo.

I just asked a question to the founders about the vulnerability (which is okay) and the apparent lack of interest to address it (which is not okay), especially when Smitka had pointed it out, out of altruism.

The question is queued for moderation. I do not expect the question to be posted.

Thank you, Vladimir, for this fine work.

Respect.

LikeLiked by 1 person

Reply
Vladimir vs Hosting Industry – Docker & PHP FPM – Vladimir Smitka

June 8, 2024 at 6:55 pm

[…] the teaser article, I discussed my research on various CloudPanels, where I attempted to bypass the isolation of […]

LikeLike

Reply
Anonymous

June 8, 2024 at 8:39 am

This should not work when there is code freeze enabled. Essentially all the code is in a repo.

LikeLike

Reply
1. smitka
  
  June 8, 2024 at 9:29 pm
  
  If all sites on the server are really like this, it may help. But if one of them allows you to run your own script, it can also infect the one with code freeze, because it will allow you to execute the script on it before it runs and get credentials for example.
  
  LikeLike
  
  Reply
Anonymous

June 6, 2024 at 3:48 pm

Did they really fix or just say they fixed?

LikeLike

Reply
1. smitka
  
  June 8, 2024 at 9:26 am
  
  Yes, these ones I marked as fixed, I also checked. But I couldn’t verify if the patches were applied retroactively for all customers. But I hope that happened too, or it’s in the process.
  
  LikeLike
  
  Reply
Anonymous

June 6, 2024 at 11:30 am

Are those sites owned by same system user?

LikeLike

Reply
1. smitka
  
  June 6, 2024 at 1:53 pm
  
  I’ve always used different system users.
  
  LikeLike
  
  Reply
Anonymous

June 6, 2024 at 6:50 am

Just be careful about Cloudways. They threatened me by lawsuit if I publish something . Good job 👍

LikeLike

Reply
1. Lax Min
  
  June 9, 2024 at 5:18 am
  
  Well, I am a customer at Cloudways and have been one since their inception.
  
  As a customer, I will sue DigitalOcean, their parent company since they have presence in India, if they try such shenanigans.
  
  And believe me, the press coverage will be brutal to their reputation.
  
  Streisand effect is no joke.
  
  LikeLike
  
  Reply
Anonymous

June 6, 2024 at 3:56 am

Just to clarify, in the video, are these different sites hosted on the cloud or just shared hosting?

I’m no expert, but I feel that this is similar to when you have shared hosting, and then one site gets DDoS attacked or just consumes a ton of resources, the other co-hosted sites would feel it too?

LikeLike

Reply
1. Anonymous
  
  June 6, 2024 at 4:41 am
  
  This. This is a critical point that needs clarifying. Were the sites actually setup with unique linux user accounts (isolated), or was the default user used (not isolated)?
  
  LikeLike
  
  Reply
  1. smitka
    
    June 6, 2024 at 1:52 pm
    
    Yes, I’ve always used different system users…
    
    LikeLike
Przemysław Zonik

June 5, 2024 at 8:47 pm

Hey, thanks for your work. Could you hit WordOps, SlickStack and Sail?

LikeLike

Reply
1. smitka
  
  June 6, 2024 at 1:51 pm
  
  I don’t know them, but I’ll try to check them out over the next week. 😉
  
  LikeLike
  
  Reply
  1. Anonymous
    
    June 6, 2024 at 5:53 pm
    
    What about Pantheon.io?
    
    LikeLike
2. Anonymous
  
  June 20, 2024 at 3:16 pm
  
  WordOPS use one user www-data:www-data for all the websites on the server so it’s pretty easy to get hacked all the websites. NOT SECURE
  
  LikeLike
  
  Reply
  1. Anonymous
    
    July 3, 2024 at 4:09 pm
    
    SlickStack uses SFTP_USER:www-data for the files. Not sure if it’s relevant though as they only support one WP installation (or Multisite network) per server…
    
    LikeLike
Anonymous

June 5, 2024 at 7:21 pm

Thank you for your efforts.

LikeLike

Reply

Leave a comment Cancel reply

About Me

My name is Vladimir Smitka and I’m a security researcher/hobbyist from the Czech Republic. I’m also the owner of Lynt, a PPC Agency. I’m also an active member of the Czech WordPress community and one of the WordCamp Prague organizers.

OPEN .GIT GLOBAL SCAN

230 000 000 sites scanned
390 000 sites affected
100 000 mail send to the developers
150 000+ sites fixed
100+ possitive comments
3500+ thankyou mails
Thousands and thousands sites with another serious issue found

For my research I use affordable Virtual Private Servers from Digital Ocean (they have a great infrascruture), Linode (they have a great understanding for my work) and dedicted servers from Hetzner.

If you like my research, you can make a small donation for coffee and VPS – two basic ingredients for my future security scans.

☕ Buy me a Coffee

Donate – PAYPAL

Follow me