All Projects

ID Status Summary Opened by
 363 Closed Cross-tenant file disclosure via world-readable shared  ...S_Haque Task Description

Vulnerability Name: Cross-tenant file disclosure via world-readable shared `/tmp` on alwaysdata SSH/web hosts

Severity: High
CVSS 4.0 vector: `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N`
CVSS 4.0 score: ~8.2 (High)
Target: `ssh-<account>.alwaysdata.net` (physical SSH host `ssh1`) and the web-application hosts (`http21`) — kernel `6.18.30-alwaysdata`
Type: CWE-668 (Exposure of Resource to Wrong Sphere) / CWE-732 (Incorrect Permission Assignment) / CWE-200

Description

On alwaysdata's shared hosting infrastructure every customer account on a given physical host shares a single, non-polyinstantiated `/tmp` directory (mode `drwxrwxrwt` / `1777`), while the platform default umask is `022` — so any file a customer writes into `/tmp` is created world-readable (`644`).

Account isolation on these hosts is enforced only by cgroups + per-account Unix UIDs, and SSH is explicitly not chrooted (per alwaysdata's own documentation). As a result, any customer — on any plan, including the free plan — can read any other customer's world-readable files in `/tmp` on the same physical host. This is a cross-tenant confidentiality boundary violation: it lets a low-privileged tenant passively harvest other tenants' source code, configuration, and temporary artifacts.

The condition is confirmed on both the SSH tier (`ssh1`) and the web-application tier (`http21`), indicating it is fleet-wide. (Note: PHP `session.save_path` is per-account, so live sessions are not exposed — which bounds this at High rather than Critical.)

Exposed Endpoints / Affected Components

Host / component Path Mode Issue
SSH host `ssh1` `/tmp` `1777` (shared, not polyinstantiated) other tenants' world-readable files readable
Web host `http21` `/tmp` `1777` (shared) same exposure on the web tier
Platform default umask `022` new `/tmp` files created world-readable (`644`)

Steps to Reproduce

Requires two accounts you control (`A` and `B`, different customers) that land on the same physical host. In this report `A` = `steve-william` (uid 530469), `B` = `test-domain` (uid 530478), both on `ssh1`.

1. Create two free alwaysdata accounts with different emails; enable SSH on each (Remote access → SSH).
2. SSH into account A: `ssh A@ssh-A.alwaysdata.net`.
3. As A, write a file into the shared `/tmp` (created world-readable due to default umask 022):

 `echo "SECRET_OF_A" > /tmp/canary_A.txt`

4. In a second terminal, SSH into account B (a *different* customer): `ssh B@ssh-B.alwaysdata.net`.
5. As B, confirm you are a different UID on the same host: `id; hostname`.
6. As B, read account A's file: `cat /tmp/canary_A.txt` → A's content is returned. 7. Enumerate the real cross-tenant exposure (metadata only): `find /tmp -maxdepth 1 -type f ! -user "$(id -un)" -readable`.

Observed live: as account B, 65 files across 12 other live customer accounts were readable, including source archives (`*.tgz`), a config script (`inject_config.py`), an Omeka DB env file (`omeka_db_env_*`), financial PDFs, and cryptocurrency wallet backups. (No third-party file *content* was read — only names/owners/permissions were enumerated, per program rules.)

Proof of Concept (PoC)

Bash PoC Script, Python PoC Script, and other attachments are attached.

Impact

- Cross-tenant confidentiality breach affecting all customers sharing the same physical host.
- On the affected host (`ssh1`), approximately 882 customer home directories are co-located, allowing tenants to access world-readable temporary files belonging to other customers.
- Sensitive information that may be exposed includes source code, configuration files, temporary application data, and other confidential files.
- If a world-readable `.env` or configuration file contains database credentials, an attacker could use those credentials to access the victim's remotely reachable database (e.g., `mysql-<account>.alwaysdata.net:3306` or `postgresql-<account>.alwaysdata.net:5432`).
- This could lead to unauthorized access to another customer's database and the data stored within it.
- No other customers' files, credentials, or databases were accessed during testing. The impact assessment is based solely on the demonstrated file exposure and the resulting attack path.

Remediation

- Polyinstantiate `/tmp` (and `/var/tmp`) per account — e.g. `pam_namespace` with per-account instances, or a per-account-namespace private `tmpfs` — so each tenant sees an isolated `/tmp`.
- And/or set the platform default umask to `077`.
- Optionally enable `fs.protected_regular=2` and per-account `/tmp` reaping.

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Tasklist

Task Details

Task Editing