Re: [PEN-TEST] How to deal with others' security ?

[Steve <Steve () SECURESOLUTIONS ORG>]

> My question is simple :
> - you have to do a penetration test on a web server.
> - you discover that there are virtual hosts on the same box than the web
> site you have to check.

I am not sure if I understand what you are saying.  Are you saying that you
are performing penatration testing on a web site that belongs to you but is
hosted on someone elses servers (your ISP?)

I would strongly reccomend that you do not do this without coordinating with
your ISP and without their permission.  While I agree that you are
responsible for your web content, once you outsource the hosting to a third
party the security of the hosting servers is their responsibility.

Your best bet would be to contact technical support of the vulnerable server
and inform them of their problems and how they should address them.  If they
are technically unable to perform such tasks, you might want to review who
you are using for web hosting.

In the case of vulnerable CGI scripts, your best bet is to email the
webmasters of each site.  But again, some of this might fall into your
hosting vendor's laps.

If you are truly concerned with the security of your web sites, host your
own on a platform that you have the necessary skills in to secure.