40

The Redis service is available on my hosting, and if i connect it for money, it is available only for me, since Redis rises in a separate docker container.

But, if i turn it off, then Redis can still be used for free, though server-wide. And here I am connecting to the server-wide Redis:

$redis = new Redis ();
$redis->connect('127.0.0.1', 6379);

And I see there about 300,000 records of other people's sites.

$allKeys = $redis->keys('*');
echo(count($allKeys)); // ~300000
echo ($allKeys[10000]); // some data of some site
echo ($redis->get($allKeys[10000])); // some data of some site

And i can change every record! Like this:

$redis->set($allKeys[10000], 0);

That is, someone uses the server-wide Redis and I believe that the user is not aware of the public availability of their data. He just turned on the "Use Redis" checkbox somewhere in WordPress.

And the question is: is the hosting provider responsible for this? After all, an ordinary user believes that his data is stored only on his server and is available only to him.

The technical support response was: everything is ok.

But I don’t think so, so I ask.

Дмитрий Паймуллин
  • 361
  • 1
  • 4
  • 7
  • 5
    Potentially is just your own DB being exposed and now being utilized by someone else (such as hosting a covert/malicious site)... I had this happen once when accidentally left a testing (non-production, no real data/usage) redis server exposed on the internet. Came back in a couple days to find it full of someone else's data. – Mike Graf Mar 01 '20 at 19:43

2 Answers2

25

This hosting provider is responsible for the security breach. Considering OWASP's top ten Web application security risks, this is an issue of few security risks: Broken Authentication, Sensitive Data Exposure, and Broken Access Control.

What is your next step is up to you. You should inform the hosting provider, users should be informed by the hosting provider for the possible data breach. This is a very serious security and legal matter since someone's possibly private data is accessible to other users.

See: https://owasp.org/www-project-top-ten/

Nikola Kirincic
  • 3,651
  • 1
  • 24
  • 28
  • 5
    The technical support response was: everything is ok. – Дмитрий Паймуллин Mar 01 '20 at 17:16
  • 15
    @ДмитрийПаймуллин, if you can access some other user's data, then the other user can access your data too. That is not secure, and you should consider using this hosting provider at all. – Nikola Kirincic Mar 01 '20 at 17:17
  • @NikolaKirincic You need to insert a `not` before `consider`. – Erkin Alp Güney Mar 01 '20 at 20:33
  • @NikolaKirincic An important thing to remember here, is if its not advertised as private, granted I don't think I would make use of anything like this, but if its functioning as designed and designed as a shared space, that isn't a security violation. – Bruce Burge Mar 01 '20 at 23:26
5

I work in web hosting. This is not correct and means that they have a serious problem on their hands! Ask for a manager or supervisor. If that goes nowhere, MOVE.

From what you described, they have virtual users for Redis users who pay for it. Rather than disabling it for everyone else, they appear to be allowing everyone to access the same shared pool, causing the security breach you've described.

Ryan Flowers
  • 51
  • 2