- Status Closed
-
Assigned To
cbay - Private
Opened by benkemalgeliyorum - 22.04.2025
Last edited by cbay - 22.04.2025
FS#157 - Unauthorized Disclosure of Other Users' Disk Usage
Vulnerability Name:
Information Disclosure – Visibility of Other Tenants’ Disk Usage in Shared Hosting Environment
Category:
Information Disclosure / Multi-Tenant Isolation Failure
Risk Level:
Medium
(While not directly exploitable for privilege escalation, it exposes useful intelligence for targeted attacks and reconnaissance.)
Description:
During the assessment of a shared hosting environment, it was discovered that a tenant is able to retrieve detailed disk usage statistics of other isolated user environments using the df -h command. This command returns mounted paths, storage consumption, and free space of all user directories (e.g., /home/otheruser), which should typically be restricted in a multi-tenant environment.
Example output:
$df -h | grep /home http16.paris1:/username 3.4T 2.6T 873G 75% /home/username http14.paris1:/username 3.4T 494G 3.0T 15% /home/username http13.paris1:/username 3.4T 2.5T 994G 72% /home/username ...
This visibility allows an unauthorized user to:
Enumerate other tenants or hosted projects
Gain insight into storage usage patterns (e.g., usage-heavy customers, inactive tenants)
Perform targeted social engineering or brute-force attacks
Impact:
Tenant Enumeration: Other users’ directories are exposed.
Reconnaissance Enhancement: Adversaries can prioritize targets based on usage size.
Privacy Violation: Hosting provider may violate customer expectations or compliance agreements.
Shared Resource Leakage: Confirms existence and usage of specific customers or internal projects.
Recommendation:
Filesystem Namespace Isolation
Use Linux namespaces or containerization to ensure per-tenant views of mounted volumes.
Restrict Sensitive Binaries
Limit use of df, mount, or /proc/mounts for non-root users via AppArmor/SELinux or shell restrictions.
Audit Hosting Configuration
Revisit NFS/remote mount policies. Do not globally mount storage pools unless required.
Monitoring & Detection
Log and alert on suspicious usage of commands like df, ls /home, or du by non-privileged users.
References:
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
What you see is not other user's disk usage, it's the server's disk usage. You can see that all mount points on the same server report the same disk usage.
Kind regards,
Cyril
Hi Cyril,
Thanks for the clarification — I do agree with your point that the output reflects server-level disk usage rather than specific usage per user.
However, what I was trying to highlight here is the exposure of usernames (or customer/project names) through the mount points. Even if it's not a direct vulnerability in terms of data access, this kind of information disclosure can still aid attackers in user enumeration and targeted reconnaissance, especially in shared hosting environments.
Ideally, such identifiers should not be exposed to non-privileged users to maintain proper isolation and reduce potential attack surface.
Best regards,
Ben Kemal.
I agree that ideally, account names should not be enumerable. However, due to how our architecture is conceived, that would be quite complicated to achieve.
We explicitely tell in our documentation that account names are not private.
Hi Cyril,
Thank you for the clarification. That makes sense — I appreciate the transparency and the explanation regarding the architecture and documentation.
Best regards,
Ben Kemal.