Eukhost security features wasting my time

[vladimir]

I've encountered the following problem in the last 24 hours.

Code:

<form enctype="multipart/form-data" method="post" action="test.html">
	<input type="file" name="fileupload" />
	<input type="submit" value="Click me to see the problem" />
</form>

When I submit this form, I get a 403 error. The problem is the input:file, apparently attempting to upload a file via form is a security issue. In order to pinpoint this problem, I wasted an hour of my time because it was in a 90kb PHP script that was working normally until now. I've also had to postpone a meeting/presentation with my client because of this issue.

So when I contacted support, I got the reply that it's a violation of some mod_security rule and the tech support guy's solution was to disable this rule for test.html file ONLY (the file that I put up to illustrate the problem). I've told him to disable this rule permanently for all domains/files under my account and I'm still waiting for a reply.


This is not the first time I've wasted my time because of Eukhost security "features". I'm also using around 50 different hosting providers (that host the sites of my clients) and not one of them has such restrictive security settings.

Security that protects my site by disabling it is worse than useless.

[eUKhost.com]

Hi Vladimir,

I sincerely apologise for the inconvenience you had due to our mod_security rules. I have requested our CTO and CSA to review the rules and see if we can relax those. Security rules are applied for a reason on shared/reseller hosting server and we know how these rules create inconvenience for genuine customers like you.

Please expect a detailed response from our CTO or CSA here in some time.

[AlexP]

Hi Vladimir,
We extremely regret for the inconvenience caused to you. As you are aware, most of the hackers do use to upload malicious hacking script through file upload forms to compromise the server and websites. Some of these vulnerabilities are easily exploited, and hacker could gain access to the file system of the server hosting these web applications. To allow a user to upload files to the website is like opening another door for a malicious user to compromise the server. Also it's a great risk to have a vulnerable web application and the chance that such functionality will be abused from malicious users, to gain access to a specific website, or to compromise a server is very high.

To protect such kind of website or server hacking activity we have integrated and implemented Secure FTP upload scanner on all of our shared/Reseller hosting server before a year which does scan a file using different antivirus, malware detection tools, signatures and HEX pattern matches. So when file is uploaded through the file upload form, Secure FTP scanner scan's the file before copying it to user's account. If scanner detects a user uploading malicious files, it will automatically move the file in trash folder.

To keep virus definition, signatures and HEX pattern matches up2date we have set it to auto update mode. The last night signatures pattern was updated on the server automatically which caused some false positive alerts and wasn’t able to upload any files through upload form. Once we noticed this things, we have disabled the signature as well as disabled the signature automatic update on the server.

We have learned from the mistake and we assure you that it won't happen again.

I have re-checked the server now everything is working fine.

[vladimir]

Thanks, it's fixed now. What bothered me is that I got the impression from the tech support guy that it was now a deliberate security policy to disable file uploads via form, which would be crazy and make any CMS pretty much useless. If it's a temporary glitch then it's well, what can you do...

I would have also have appreciated getting a warning in the email about this issue once you were aware of it, so I didn't spend the time hunting for what's wrong in my code.