Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Script Updates


Script Updates




Posted by SPaReK, 11-08-2007, 01:54 PM
Lately we have been receiving a lot of complaints from our users who do not wish to update their scripts. I have been telling those users that they have to keep their scripts up to date if they want to avoid having that script exploited or used to send spam or other malicious intentions. The ramifications of a single user on a server not keeping their script up to date affects all of the users on the server. I am just wondering how other hosting providers handle this. When a client threatens to leave because you don't allow them to run an outdated script, what actions do you take to try and keep the client? Thanks
Posted by zacharooni, 11-08-2007, 02:20 PM
You don't, unless they pay you much green. Measure the security of his outdated script against the income from your other customers.
Posted by CretaForce, 11-08-2007, 03:12 PM
At least for our customers that use CretaPanel (our own control panel) php runs as fastcgi with individual user permissions. So if a customer has outdated scripts then someone can deface only his websites and not the websites linked to other accounts.
Posted by SPaReK, 11-08-2007, 03:37 PM
Thanks for your replies. We also run PHP as CGI, so this does limit what a hacker or malicious user could do, but it doesn't stop that hacker from sending out spam through the account and getting the entire server blacklisted. That's my argument for that. And while it is very, very unlikely that a hacker or malicious user would be able to completely compromise a server through an exploited PHP or CGI script (regardless if PHP is run as CGI or as an Apache module), why even give them a point of entry? I guess I just don't understand why end-users don't see it as a positive if they keep their scripts up-to-date. If I was a website owner, I wouldn't feel very comfortable if my host knowingly allowed me to continue to run an outdated script. Think about how many other accounts the webhost might be allowing this for. I guess I just wondered if I was alone when I took such a strict policy against allowing old and outdated scripts.
Posted by smrtalex, 11-08-2007, 03:44 PM
Just from a curiousity standpoint, how are you monitoring what scripts are being used and what version they are using?
Posted by CretaForce, 11-08-2007, 03:56 PM
Because they don't think that someone will deface their website. Maybe you can offer them script updates as an extra service.
Posted by SPaReK, 11-08-2007, 04:07 PM
At times I have gone through specifically looking for outdated scripts. Like when phpBB had all of their security problems and new versions were being released every week, I had a script written that went looking through all of our servers, looking for the file that contained the script version (this might have been stored in a MySQL database, I can't remember, if it was, then it looked it up in their database) and gave me a list of accounts that were running phpBB and what version. I worked on a comprehensive script version checker, that went through and did the same basic principle, but for a lot of different scripts. Again, the main bottleneck here is that I'm only able to find outdated versions of specific scripts. I never finished this project, but I hope to revisit it sometime. Right now what I am seeing is requests from users who want to be exempted from particular mod_security rules or have mod_security disabled on their account. I compiled mod_security so that user's cannot disable it through a .htaccess file. I also use unique IDs for each mod_security rule, this allows me to exempt particular VirtualHosts from particular rules. Lately I have been having users write in with mod_security issues, wanting me to disable mod_security on their website. When I ask what scripts they have installed and what versions, I learn that they are outdated. I'm not inclined to disable mod_security for an account that I know is running an outdated script. Mod_security will offer a blanket layer of protection against a lot of common script exploits, these will sometimes interfere with some script's functionality. I don't have a problem disabling mod_security for an account or exempting rules from that account, as long as they are aware that they have to keep their script up-to-date. I have had a few users complain about mod_security and when I point out that the scripts are outdated, they don't want to update the script because they are afraid it will mess up a lot of things or that it might require some reconfiguration on their website. You might argue that I don't have anyway of knowing what other scripts are on the servers that are also outdated. This is true, but those accounts aren't asking to be exempted from mod_security. And also, once I learn that an account does have an outdated scripts, I don't think it is good administration to just ignore that fact. There may be other outdated scripts on the server, but I know for a fact that this certain script is outdated, I should act on it.
Posted by SPaReK, 11-08-2007, 05:05 PM
That might not be a bad idea. The only thing is we have nearly 9000 clients and it might be cumbersome if all 9000 clients wanted me to keep their scripts up-to-date. But I suppose that if I really want to keep scripts up-to-date then this should be something to consider. Do any other web hosting providers do this? Thanks for the suggestion
Posted by CretaForce, 11-08-2007, 05:16 PM
I am not sure if other hosting providers do this. We have some customerers that e-mail us about new versions of joomla or wordpress asking us if we can upgrade their scripts to the latest version. It's very easy to upgrade these scripts, you only have to wget the new version and untar it inside the script folder, so we don't charge them for that. If we start getting more e-mails about script upgrades we may start charging them.
Posted by SPaReK, 11-08-2007, 05:36 PM
How do you account for any customizations that the user might have made to the script or the addons that they added to the script? I guess this is one reason why I always preferred having the user keep their own scripts updated. They should know what is installed on their account. They should know when a new version of that script is released. And they are more aware of what all they have done to get the script in its current state. I still like your suggestion, as it likely provides the best compromised solution. I would just need to lay out some framework and some policies regarding it.
Posted by CretaForce, 11-08-2007, 06:05 PM
So far only people with basic joomla/wordpress installations ask for upgrades. They haven't change the script source code. Of course after the upgrade I ask them to check if the site works fine, and I also provide them the backup before the upgrade.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Sync a cpanel server with a standard bind server (Views: 708)
resellerzoom offline (Views: 782)
About CirtexHosting, Good Support (Views: 842)
new hosting co. , any one heard of them (Views: 718)
What makes you buy from a Host? (Views: 720)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.