Company
About Lexcore AI Governance Contact
Research
Cortina Zero R&D Hub Benchmarks Whitepaper AHI Framework Organoid Lab Genesis Codex EgoReversal
Products
All Products Naira AI Cortina Shield Deepfake Detection Cortina Naukri Agent NEO
Invest
Investor Relations Capital Allocation Investment Deck
More
Blog Enterprise
← Blog Case Study

Securing a GoDaddy Shared Hosting Stack: Three Critical Patches, Zero Downtime

APR 24, 2026 6 min read By Lexcore AI Team

GoDaddy shared hosting is not built for production AI applications. It's built for WordPress blogs and small business websites. When we deployed Lexcore's public-facing PHP APIs on a GoDaddy shared plan — because it was fast, cheap, and available — we inherited a set of default configurations that we did not fully understand.

Agent 2 found three of them in a single audit pass. Here's the full postmortem.

Vulnerability 1: Open CORS on Upload Endpoint

The Duo upload endpoint (duo/upload.php) had a wildcard CORS header set in .htaccess:

Header set Access-Control-Allow-Origin "*"

This meant any website — including an attacker's domain — could make cross-origin requests to the upload endpoint from a user's browser. Combined with a missing authentication layer, this created a scenario where any user who visited a malicious site while authenticated to Lexcore could have their session used to upload arbitrary files.

The fix: Remove the wildcard header from .htaccess. Move CORS handling into upload.php itself, with an explicit allowlist of permitted origins:

$allowed_origins = [ 'https://lexcoreai.com', 'https://cortinaos.com', 'https://cortinainfinity.com' ]; $origin = $_SERVER['HTTP_ORIGIN'] ?? ''; if (in_array($origin, $allowed_origins)) { header("Access-Control-Allow-Origin: $origin"); header('Vary: Origin'); }

Vulnerability 2: Unauthenticated File Upload

The upload endpoint accepted files with no authentication token. Any HTTP client that knew the endpoint URL could upload a file. The endpoint validated file type by extension — but extension validation is trivially bypassed by renaming files.

Two sub-issues here:

The fix: Add a server-side token using constant-time comparison (to prevent timing attacks):

define('UPLOAD_TOKEN', 'lxduo_f8a2k9m3x7b1n4p6q0r5s2t8u1v3w9y'); $token = $_SERVER['HTTP_X_UPLOAD_TOKEN'] ?? ''; if (!hash_equals(UPLOAD_TOKEN, $token)) { http_response_code(403); exit(json_encode(['error' => 'Forbidden'])); }

Combined with MIME type validation (using finfo_file(), not just the extension) and a comprehensive extension blocklist:

$blocked = ['php','phtml','phar','sh','bash','py','rb','pl','cgi','exe','dll','bat','cmd']; $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION)); if (in_array($ext, $blocked)) { http_response_code(400); exit(json_encode(['error' => 'File type not permitted'])); }

Vulnerability 3: PHP Execution in Upload Directory

The most dangerous finding: the duo/uploads/ directory had no .htaccess. On GoDaddy's shared hosting, PHP execution is enabled by default in all directories. This means if an attacker succeeded in uploading a PHP file — bypassing the extension check via a double extension or null byte — it would execute directly via the web server.

This is the classic webshell scenario: attacker uploads shell.php, accesses https://lexcoreai.com/duo/uploads/shell.php, and has arbitrary code execution on the server.

The fix: Create duo/uploads/.htaccess with PHP execution disabled:

Options -Indexes -ExecCGI php_flag engine off <FilesMatch "\.(php|phtml|phar|sh|pl|py|cgi|exe)$"> Order Allow,Deny Deny from all </FilesMatch>
This is the defence-in-depth principle: even if every other check fails and an attacker uploads a PHP file, the server won't execute it. The file sits inert on disk and can be cleaned up.

Timeline

2:43am
AUDIT STARTED
3x
VULNS FOUND
4:17am
ALL PATCHES LIVE
0
DOWNTIME

Lessons for GoDaddy Shared Hosting Users

  1. Never rely on .htaccess for CORS — it's too easy to misconfigure. Handle CORS in application code.
  2. Every file upload endpoint needs authentication. A static server-side token is acceptable for internal APIs; rotate it on any suspected exposure.
  3. Always drop a hardened .htaccess in any user-writable directory. Disable indexing, disable PHP execution, block direct access to script files.
  4. Validate uploaded file type with finfo (MIME type sniffing), not just extension. Check extension separately with a comprehensive blocklist.
  5. Run an automated security audit of your upload flow before launch. Not after.

The full patch set is deployed on lexcoreai.com. If you're running a similar PHP stack on shared hosting and want a review, we offer security audits through the enterprise engagement.

← All posts lexcoreai.com →