Jump to content

Heliohost Security Question


Guest aceadmin

Recommended Posts

Guest aceadmin

Wow! I saw someone access my file manager from this URL: http://ainonimra.heliohost.org/syahrulridho.php?dir=/home/mynameofmyhostaccount/public_html&do=auto_edit_user

 

"Mynameofmyhostaccount" is the name of my host account

 

Being quite suspicious of this part, /home/mynameofmyhostaccount/public_html

 

Are you sure that this is possible? Because the only thing I think that stopped him was a security plugin on my site.

Link to comment
Share on other sites

Guest aceadmin

Of course, I'm not posting my account information on a public discussion. So, I repeat again, "Mynameofmyhostaccount" is a sample username and the question here is if heliohost is quite insecure with users that use heliohost can access others file managers through their's:

 

This is a URL i have found from the security plugin that I used (in which some "ainonimra" person tried to hack the site was using): http://ainonimra.heliohost.org/syahrulridho.php?dir=/home/mynameofmyhostaccount/public_html&do=auto_edit_user.

Link to comment
Share on other sites

The particular domain you posted is currently suspended for abuse...

 

They can't access your files, but our username list is public (every hosting account has a matching forum account with the same username), and every account has a public_html folder, so assuming /home/youraccount/public_html exists is reasonable.

 

By the way, you are aware our TOS only allows you one account right? I see 18 accounts...can you please explain why need so many (disk space is not a legitimate reason)?

Link to comment
Share on other sites

-

what is the date stamp ( or date and time ) of this allege access to your file manager ( I assume inside of cPanel ) ??

 

do you have this PHP script [ syahrulridho.php ] in any of your 18 accounts ??

 

if not anyone who tried to access it would have received a [ ERROR 404 ]

###

Link to comment
Share on other sites

By the way, you are aware our TOS only allows you one account right? I see 18 accounts...can you please explain why need so many (disk space is not a legitimate reason)?

I actually see at least 20 accounts. Make sure you suspend alibrary too.

 

Are you sure that this is possible? Because the only thing I think that stopped him was a security plugin on my site.

People can try, but unless you have files in one of your 20 accounts that matches the username and group of the person trying to access the file they won't be able to read it. Even if they know the filename like wp-config.php or whatever. Thanks for drawing attention to your blatant disregard for our Terms of Service that state you may only have one account without prior written permission from an admin though.
Link to comment
Share on other sites

By the way, you are aware our TOS only allows you one account right? I see 18 accounts...can you please explain why need so many (disk space is not a legitimate reason)?

To add to this, I noticed that most of these accounts are various domains/subdomains of Freenom domains. If you were unaware, you can have more than one domain on a single account.

 

Also, for reference, here are the Terms of Service: http://wiki.helionet.org/Terms

 

Please let us know the name of the one account you want to keep, or why you think you should be granted multiple accounts by 12PM PDT. If we don't hear from you, all of your accounts will be suspended.

Link to comment
Share on other sites

Guest aceadmin

Heliohost in it's inoperative unprofessional capacity of not holding a privacy policy, I have not given you permission to publicly release personal-like and relative information about me and my usage of your "heliohost" website publicly without the person's consent (which is me due to Government law of my country) thereof you are instructed to remove the content immediately or be reported to the proper government agency to deal with the violation of privacy (which shall continue to jurisdictional proceedings against Heliohost). All people who read this information have been in the flaw of Heliohost's rendering of a person's private information. If you are wondering where you safely provide or disclose the owner of the information (me, or "AceAdmin") you email it to the person and not release it publicly.

 

You are given a deadline to remove this at a reasonable time with this post (with the limitation of 3 hours) or face privacy violation charges within (and if later on removed after 3 hours shall have to prove in trial [the reason]).

 

Also I wonder if "Heliohost" really is an operative company and not a band of people collecting donations illegally (as required for a non-profit, and not a company).

Link to comment
Share on other sites

Care to explain where exactly we released personal information? We don't collect any information besides email address and IP address that could be considered "personal" (and we don't make these two items public). We do not consider usernames to be personal (pretty much no website does), and in fact, during sign up, it informs you that we've created a forum account with the same username, so there should not be any expectation of your usernames being private.

 

You're required to agree to the TOS during sign up (a document which you evidently did not read seeing we're having this discussion). Also, Privacy Policies are not legally required in the USA (though it's good practice to have one). You're the first in our 12 years of operation to have asked about one. Perhaps Krydos has some input on this (he's the one who runs the servers). I've opened an internal discussion into this issue.

 

Your accounts have been disabled at your request. The request may take up to an hour to fully process due to the number of accounts you have.

Link to comment
Share on other sites

Guest aceadmin

First of all, lets get a few things straight.

 

1 - I did not agree to your terms of service for all my accounts - it was added very recently.

2 - Your so called terms of service in which an elementary student could've written in a terrible condition of child-like rules contain absolutely no information relative to this topic

3 - Do not attempt to defend how you handle privacy when you don't have a privacy policy

4 - For your low amount of knowledge, you have violated the right of a person's information to be released privately and not publicly rendered as I have clearly expressed my concern of privacy with the statement, "Of course, I'm not posting my account information on a public discussion" yesterday and you have failed to respect my decision of my own privacy

 

Also I wonder if "HelioHost" is any time of registered organization, of which I highly doubt.

 

Lastly, do not think I shall slacken my right to pursuit a report upon the violation of my privacy within the deadline.

Link to comment
Share on other sites

Heliohost in it's inoperative unprofessional capacity of not holding a privacy policy, I have not given you permission to publicly release personal-like and relative information about me and my usage of your "heliohost" website publicly without the person's consent (which is me due to Government law of my country) thereof you are instructed to remove the content immediately or be reported to the proper government agency to deal with the violation of privacy (which shall continue to jurisdictional proceedings against Heliohost). All people who read this information have been in the flaw of Heliohost's rendering of a person's private information. If you are wondering where you safely provide or disclose the owner of the information (me, or "AceAdmin") you email it to the person and not release it publicly.

 

I didn't agree to a terms of use and I understand is recent, so you seem to interpret the need of your "terms of Use" can make you dismiss the privacy violation

 

FIrst of all, lets get a few things straight.

 

1 - I did not agree to your terms of service for all my accounts - it was added very recently.

2 - Your so called terms of service in which an elementary student could've written in a terrible condition of child-like rules contain absolutely no information relative to this topic

3 - Do not attempt to defend how you handle privacy when you don't have a privacy policy

4 - For your low amount of knowledge, you have violated the right of a person's information to be released privately and not publicly rendered as I have clearly expressed my concern of privacy with the statement, "Of course, I'm not posting my account information on a public discussion" yesterday and you have failed to respect my decision of my own privacy

 

 

 

You are given a deadline to remove this at a reasonable time with this post (with the limitation of 3 hours) or face privacy violation charges within (and if later on removed after 3 hours shall have to prove in trial [the reason]).

 

Also I wonder if "Heliohost" really is an operative company and not a band of people collecting donations illegally (as required for a non-profit, and not a company).

1. The TOS has been around since 2011: http://wiki.helionet.org/index.php?title=Terms&action=history and there is a check box you have to check in order for the registration wizard to let you click next. If you happened to somehow register without seeing this, please let us know how so it can be fixed.

2. I've opened an internal discussion on this and am waiting to hear back. You're the first in 12 years to ask for a privacy policy. I sort of agree on the quality of the language in the TOS, however our goal is to make it easy to read as opposed to the "wall of text" legalese that most of these agreements are. There may be room for improvement here.

3. We do take our users' privacy seriously. We don't release the only two potentially identifiable pieces of data we collect (email and IP). Our TOS addresses our handling of your data (that we may inspect or delete it to enforce the TOS, that we don't guarantee you won't lose your data, and that we won't be held responsible for the damages if you do). We allow users to use VPNs to access our services. We provide free SSL encryption for all websites. If you need support privately, PMs are accepted by some of the admins including myself.

4. You are welcome to not use our services. As a service that has hosted 50,000+ users over the past 12 years, you're the first to complain about our support methods or lack of a privacy policy.

 

Also, you say "in your country", what country? We're a legal company in Washington state, USA, and we make every effort to comply with relevant US laws. While our service is on the internet and thus available globally, we cannot guarantee it will meet legal requirements in other countries.

 

I've disabled your hosting accounts per your requests. If you wish, I can hide this topic and remove your forum user accounts as well, however you will not be able to post once I do. Do you want me to do this?

 

In addition, if there is any other data you would like removed, please let us know.

Link to comment
Share on other sites

1 - I did not agree to your terms of service for all my accounts

It's not our fault if you didn't read the terms -- we can't force you to read them -- but they were presented to you 20 times, and you did scroll past them and agree to them 20 times before you created your 20 accounts.

 

it was added very recently.

Our terms of service have been largely unchanged since our founding in 2005. Here is a copy from May 2nd 2007 https://web.archive.org/web/20070502192317/heliohost.org/h-terms.html

 

2 - Your so called terms of service in which an elementary student could've written in a terrible condition of child-like rules contain absolutely no information relative to this topic

Ah, this might be the real problem here. You claim our terms could have been written by an elementary school student, but you also imply that you are unable to understand them. Correct me if I'm wrong, but I guess the logical inferance we're supposed to make here is that you're intellectual capacities are at or below an elementary school level?

 

3 - Do not attempt to defend how you handle privacy when you don't have a privacy policy

We've had a privacy policy, and it hasn't changed at all for far longer than the date of your first account creation. Your history indicates that you don't read much of anything, but if this has changed recently you can find it here http://wiki.helionet.org/Privacy_policy

 

4 - For your low amount of knowledge, you have violated the right of a person's information to be released privately and not publicly rendered as I have clearly expressed my concern of privacy with the statement, "Of course, I'm not posting my account information on a public discussion" yesterday and you have failed to respect my decision of my own privacy

No private information has been released. However, it is well within our rights as is clearly explained in our terms of service and our privacy policy to release your private information since you are clearly in violation of our terms of service.

 

Thanks for your concern. Let us know if you have any other questions and we'll do our best to explain it to you.

Link to comment
Share on other sites

  • 3 weeks later...
  • 1 year later...
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...