I have a paid shared server and figured out that a php reverse shell is possible. I moved up a few directories from my home directory and have seen some folders named like domain-names. At this time I stopped. I want to tell my hosting company, but I am scared now if they can do something to me. But my data and also the data of other users of them is in danger to get compromised. Did I go too far and should I tell them? Or should I tell them anonymously?
I'm located in Austria.
What you describe is nothing malicious. I'm not a lawyer, so I can't say whether it technically runs afoul of laws proscribing "unauthorized access/use of computer systems." Also, it may technically run afoul of the host's terms and conditions.
Again, IANAL, so I can't rule out the sad possibility that you could be in legal trouble for what you did ... assuming that a hosting service that left a vulnerability like that open had the means and interest to review your activity (I leave it to the reader to assess the probability of that). However, as a businessman I think the following facts are salient:
If I were you I'd first check with the host to see if they offer bounties for finding security holes. If they don't, I'd notify them. If you alert them and don't ask for money, make threats, or anything else, you're going as white-hat as you can, and they should be relieved that you aren't attempting to exploit or extort your find. (Heck, they should be so grateful that they should offer you a substantial reward, but again, reality often fulls short of such ideals ;)
