GoDaddy Shared Hosting Review
by General Disarray (G3neral.Disarray@gmail.com)
This is about research that I have done on my own time. This is for educational purposes only, and not for actual use.
Getting Started
Not only did GoDaddy have an XSS security vulnerability on their control panel, GoDaddy has additional server-side weaknesses (and Easter eggs) that could result in a compromise of your website data and functionality.
At the time of this writing, I have a shared hosting account with GoDaddy, because their service was cheap and my website does not host any complex functionality or important data.
For the first couple months, I used the control panel to build my site directly in HTML. Then, I noticed that I had the option of enabling SSH on my account as an included feature!
Other hosting services such as Aplus.net require a copy of your driver's license to allow SSH access to their shared-hosted server.
GoDaddy requires a click of a button. Once I enabled the service and logged into my account, the first command I issued was ls -la -R / > directoryDump.txt, which produced a file over 17 MB in size!
This command allowed me to see the entire directory structure for the server in the areas where I had read permissions. Upon further inspection, I noticed that all shared hosting users are placed into a group (inetuser) and all are assigned to the same chroot'd environment.
By being part of the same group, all the users have access to all shared hosting user FTP/SSH usernames on the server!
My account was given a limited path by default, not including /sbin, but I added that by using: PATH=/sbin/:restOfYourPath
GoDaddy does limit the default tools and programs you can run, such as no SSH use from their server going outbound. So I added a couple of my tools from Ubuntu: ifconfig, Netcat, nano, and some Python and Perl scripts.
Permissions
The permissions for some user directories are interesting.
One thing I noticed is that for each user's directory that I had access to, they had an implementation of Joomla. My guess is the default Joomla settings that the GoDaddy's Control Panel applies upon install makes changes to their directory permissions.
That gives inetuser group members access to their Joomla configuration.php files. If you know something about Joomla, you know that's not good.
Also, each user has access to the chroot'd /etc/shadow file showing the password hash of the user whose permissions protect the mail/spool process for the chroot'd part of the server. In addition, each user can access the /etc/group file that contains administrator usernames for the server.
Network
Running ifconfig helped me discover that the server was dual homed with two public IP addresses on interfaces bond0 and dummy0.
The dummy0 interface is the IP address that all shared hosting website names resolve to.
The bond0 interface is what the server uses for outbound communications, but it also supports inbound SSH/FTP connections.
Localhost has some interesting ports open:
Brute-Force Attack
Having extracted over 7000 usernames from the directory listing file, I decided to see if my user account could be brute-forced. So, I ran the following command with THC Hydra using a dictionary file with my password at about line 200.
After about 200 tries and 90 seconds my password was cracked, confirming that GoDaddy does not lock out users after a reasonable number of attempts. I'm assuming the administrator accounts found in the shadow and group files can be attacked this way also, just over SSH.
Easter Eggs: Go-GoDaddy Proxy!
For those using Linux:
This SSH command forks the process, allows for multiple connections, issues no additional commands to the connection (important), creates a dynamic proxy on 0.0.0.0:7777 of your local computer, and enables you to browse the Internet as the GoDaddy server rather than your ISP assigned external IP address.
For Windows users with PuTTY:
Afterward, all you have to do is install and configure FoxyProxy in Firefox or change your connection settings to use a SOCKS proxy. This works great with proxychains for those that want to research that tool.
Go-GoDaddy Anonymous Email!
"Anonymous" email through an open SMTP server. Using Netcat or Telnet, connect to port 25:
Anyone with SSH access can send anonymous email from the GoDaddy sever.
After more research, I discovered that you can assume any hostname that is being hosted on that server and send email from it without authenticating as that user.
For example, if xyz.com is a domain hosted on the server, then I could send any email from either bob@xyz.com or alice@xyz.com whether or not their account exists with no issues whatsoever. Not only does this have SPAM use written all over it, but one could social engineer their way to more access in people's directories, websites, or wallets.
In Conclusion
GoDaddy provides cheap hosting with significant security vulnerabilities.
I leave it to you the consumer to make the choice of whether you want to host your data using their shared hosting services or look for more secure hosting.
Either way, GoDaddy could easily address these weaknesses to protect its customers data. But will they?