Possible H-Sphere Hole
It appears that users are able to create a global apache alias by creating a
user named "guest" through the FTP manager in H-Sphere.
When the "guest" user is created as an FTP user. EVERY domain on the server
can be used to access files under the account by adding ~guest to the end of
the domain name.
For example, there is a user named "xxx". This user used h-sphere to create an FTP user called "guest". Under the guest and mapped it to a folder called "files" under their home directory:
grep guest /etc/passwd
guest:x:694:546::/hsphere/local/home/xxx/files:/bin/bash
in the /hsphere/local/home/xxx/files directory, I found out that the files were for a fake ebay phising site. Instead of directly linking to the customers domain, he used other customers domain on the server and ended up getting them shut down. Basically, with the guest account created the way it was, anydomain.com/~guest would bring up the files in /hsphere/local/home/xxx/files which happen to be the illegal ebay site.
I have submitted this bug to the hsphere developement team and hope for a speedy resolution.
- Jayme
