Re: how to isolate a virtual hosted website, in order to do a A&P?

From: Josh Richards (jrichard@digitalwest.net)
Date: 02/11/03

  • Next message: Jacek Lipkowski: "RE: PBX Security" 
    Date: Mon, 10 Feb 2003 17:21:00 -0800
From: Josh Richards <jrichard@digitalwest.net>
To: pen-test@securityfocus.com

    * dented-halo@hushmail.com <dented-halo@hushmail.com> [20030210 16:16]:
    >
    > a customer has asked me to take a look at his web page and "poke around",
    > initial investigation shows that it is hosted on a large web hosting
    > companies IP# and is a virtual host off of that IP#.

    Everything after the words "shows that.." is probably the first 50% of
    your security review. If the site is virtually hosted there's only so
    much that it can be secured. Even if your client is quite security
    conscious in all aspects of the code on his individual web site he's
    still got to worry about every other one of the web hosting company's
    customers on that box.

    > Obviously hammering that main webhosting companies box would be a no no,
    > so how can i focus my security review on that clients specific box?

    That's the problem -- there is no "client specific box" if it is virtually
    hosted. :)

    > they are using apache, not IIS.
    >
    > Any thoughts?

    I think you've already completed over half of your security review for
    this client. :)

    -jr 

    -- 
Josh Richards                   - <jrichard _at_ digitalwest.net>
Digital West Networks, Inc.     - http://www.digitalwest.net
San Luis Obispo, CA 93401       - phone://+1-{888,805}-781-9378
             DWNI - Making Internet Business Better
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

    Relevant Pages

    • RE: Non Disclosure Agreements
      ... perform various normal analysis activities on a system that the client has ... I can only disclose vulns in the system to the customer and to my client. ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
      (Security-Basics)
    • RE: Non Disclosure Agreements
      ... still contains known vulnerability YYY". ... > I have a potential client that wishes me to go to their ... > The customer cannot disclose vulns that I find in their ... > recognized corporate security certification track, ...
      (Security-Basics)
    • Re: Non Disclosure Agreements
      ... perform various normal analysis activities on a system that the client has ... I can only disclose vulns in the system to the customer and to my client. ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
      (Security-Basics)
    • Re: Non Disclosure Agreements
      ... I think that your client is being a little too abusive.... ... The NDA should not restrict you from contacting security groups and editor ... I can only disclose vulns in the system to the customer and to my client. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
      (Security-Basics)
    • Re: Encryption of printer files
      ... print jobs. ... One of my security conscious customers decided to lock their dot ... were printing out customer lists and selling them to competitors. ... Each dot would be re-positioned somewhere near the proper location. ...
      (comp.unix.sco.misc)