I wish to ticket a security train with a classic variant of web condominium knowledge superhighway web hosting. While this train wishes to be glaring to any individual gleaming contemporary web security, I even have by no scheme considered it being discussed publicly.
Some server operators enable each and each consumer on the system to have a non-public web condominium where they’ll place info in a itemizing (in general ~/public_html) and they also’re going to appear on the host below a URL with a tilde and their username (e.g. https://instance.org/~username/). The Apache web server affords such a feature in the mod_userdir module. While this theory is highly extinct, it is restful broken-down by some and is in general broken-down by universities and Linux distributions.
To place this correct into a useful instance: When you occur to learn your emails on a web interface on instance.com then a script operating on instance.org must not be in a deliver to learn your mails, trade your password or mess in any quite so a lot of scheme with the applying operating on a special host. Then again if an attacker can place a script on instance.com, which is is named a Substandard Order Scripting or XSS vulnerability, the attacker will be in a deliver to enact all that.
The problem with userdir URLs must now modified into glaring: All userdir URLs on one server poke on the identical host and thus are in the identical origin. It has XSS by invent.
What does that mean in apply? Let‘s salvage we have Bob, who has the username „bob“ on exampe.org, runs a blog on https://instance.org/~bob/. Shopper Mallory, who has the username „mallory“ on the identical host, wishes to assault Bob. If Bob is for the time being logged into his blog and Mallory manages to persuade Bob to birth her webpage – hosted at https://instance.org/~mallory/ – on the identical time she can be able to place an assault script there that can assault Bob. The assault will be a diversity of things from adding any other consumer to the blog, altering Bob‘s password or reading unpublished content.
Here is entirely a problem if the customers on instance.org enact now not trust each and each quite so a lot of, so the operator of the host may per chance mediate that isn’t any train if there is entirely a exiguous form of relied on customers. Then again there is any other train: An XSS vulnerability on any of the userdir online pages on the identical host will be broken-correct down to assault any quite so a lot of web online page online on the identical host.
So if as an illustration Alice runs an outdated web application with a known XSS vulnerability on https://instance.org/~alice/ and Bob runs his blog on https://instance.org/~bob/ then Mallory can expend the vulnerability in Alice‘s web application to assault Bob.
All of that is basically a problem if of us poke non-trivial web capabilities which have accounts and logins. If the online pages are entirely broken-correct down to host static content the components modified into valuable much less problematic, though it is restful with some limitations that you are going to be in a deliver to factor in that one consumer may per chance display the webpage of any other consumer in a manipulated scheme.
So what does that mean? You potentially must not ever expend userdir URLs for something else except knowledge superhighway web hosting of easy, static content – and presumably now not even there in case you’ll be in a deliver to defend away from it. Even in eventualities where all customers are belief of relied on there is an elevated anguish, as vulnerabilities can unfriendly application boundaries. As for Apache‘s mod_userdir I even have contacted the Apache builders and they also agreed to add a warning to the documentation.
When you occur to must provide something a lot like your customers you would must give each and each consumer a subdomain, as an illustration https://alice.instance.org/, https://bob.instance.org/ etc. There may be nevertheless restful a caveat with this: Sadly the identical origin protection would not apply to all web technologies and notably it would not apply to Cookies. Then again unfriendly-hostname Cookie attacks are valuable much less easy and there is in general no useful assault scenario, thus the usage of subdomains is restful the more stable desire.
To defend away from these Cookie components for domains where consumer content is hosted continually – a notorious instance is github.io – there is the Public Suffix List for such domains. When you occur to poke a service with consumer subdomains you would must fetch into consideration adding your domain there, which is intriguing to be performed with a pull request.