An anonymous reader writes: A few months ago i stumbled across an interesting security hole with my webhost, where I was able access any file on the server, including other users. When I called the company they immediately contacted the server team and stated that they will fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames of the server, this was rather a large security breach. Which to there credit they did patch the server, not 100% of the way but close enough where moving to a new web host was moved down the 'list' a little.
Jump a head to this week, they experienced server issue, and we requested being moved to a different server. First thing I did was run my test script, and I was able to list out everyone's files again. They only applied the patch to old server. We are now moving off from this web host all together. However I do fear for the thousands of customers that have no clue about this security issue, along with about 10 mins of coding someone could search for the sql connection string and grab the username/password required to access their hosting account.
Whats the best way to handle this type of situation?