Hello, I have set up accounts on several well-known SHARED hosting platforms for low-traffic installations of well-known PHP-based software packages. I need to keep costs down because I am helping a non-profit organization with very tight budgets, especially in terms of long-term expenses.
On ALL of these shared hosting setups, the applications get HACKED in a matter of days or weeks - pretty much as soon as hackers find about the website.
I investigated the causes and found THE MAIN CAUSE: LSPHPs on ALL these platform run under the document root owner, effectively giving LSPHP 777 permissions. A simple upload PHP script can upload files ANYWHERE, not only inside UPLOAD folder, but also anywhere inside PUBLIC_HTML and also ABOVE PUBLIC_HTML - into the document root, FTP folder, etc. Everywhere!!
The most shocking part is that LS manual specifies that this is a correct setup by design. So once the hackers inject their code on the website, which LSPHP with its 777 permissions will gladly write anywhere under the document root, the hackers effectively own the entire document root.
The greatest mystery to me is how in the world this became even possible in 2023...
On ALL of these shared hosting setups, the applications get HACKED in a matter of days or weeks - pretty much as soon as hackers find about the website.
I investigated the causes and found THE MAIN CAUSE: LSPHPs on ALL these platform run under the document root owner, effectively giving LSPHP 777 permissions. A simple upload PHP script can upload files ANYWHERE, not only inside UPLOAD folder, but also anywhere inside PUBLIC_HTML and also ABOVE PUBLIC_HTML - into the document root, FTP folder, etc. Everywhere!!
The most shocking part is that LS manual specifies that this is a correct setup by design. So once the hackers inject their code on the website, which LSPHP with its 777 permissions will gladly write anywhere under the document root, the hackers effectively own the entire document root.
The greatest mystery to me is how in the world this became even possible in 2023...