This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora - General Security Warning ?
#31
RE: Sentora - General Security Warning ?
Once more the ungrateful people get to "hurt" developers motivation...
Open-Source project equals to personal motivation to help the community, if the community bites too much the motivation is gone.
Are there issues you are not happy with? Great, report them and/or fix them, in other words do a constructive feedback and help the project... Do NOT accuse the team or anyone in particular, just don't do it, nobody gets to win anything from that, neither do you.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#32
RE: Sentora - General Security Warning ?
Quote:
(03-23-2015, 11:11 PM)ballen Wrote: How could it possibly fall back into "vulnerable code again" when I've just given my resignation from the project to the rest of the team - As you've seem to imply as with the other "security people", I'm clearly the problem here (and as such, no more the problem).

Good luck!


Hi,

I hope you are playing a prank here... altho you get alot of negative "comments", doesn't mean it's the majority, maybe people (like me), just rarely comes to the forum... Honestly, you and the rest of the team have been doing a good job, and yeah, you could just fix the "bugs" when they are found (if they are reported).

So please, do not lose the motivation, I might not be someone to give you a good thumbs up, but I'm definitely not the only one. Open-Source community is like this, some do give bad feedback, some good feedback.. In the end, every starting project is like this... If you were able to reach it at this point.. why quit it? Cause someone criticized you? How about him doing better then? How about him helping then?

As a Sentora user, I honestly ask you to re-think of your parting with the team. You are valuable, and you are doing this for free, there's no one that has the right to criticize you!

Please, come back Smile
Reply
Thanks given by:
#33
RE: Sentora - General Security Warning ?
I think that the dispute and negative comments are not objective.
I have long been uses as a system for organization hosting the initial level ZPanel.
I will not use this panel in large projects.
But when need the first step for the organization of the company for web-hosting, Zpanel or Sentora are the best choice!
Reply
Thanks given by:
#34
RE: Sentora - General Security Warning ?
Let's be honest... I am sure you've seen the commercial products... they all have security issues and they are trying to fix them... Sentora IS a good panel and I am sure it will become even better.
Reply
Thanks given by:
#35
RE: Sentora - General Security Warning ?
A little history of security in ZPanel and Sentora:

ZPanel 5

When someone used PHP to reset my windows administrator password back in ZPanel 5 I added the use of php suhosin extension to blacklist exec and popen etc commands. This has been implemented at the virtual host level to stop any domains / subdomains using PHP to run commands on the system. The team then implemented the same restrictions on the cronjobs when this was highlighted.

A ZPanel forum member managed to browser the entire contents of my windows server back in ZPanel 5 and left me a text file in the D drive (not somewhere normally accessible through ZPanel). After this I implemented the openbase directory restrictions inside the virtual host settings to stop users of my free hosting service from accessing parts of the system they weren't supposed to. This restriction remains in place today to stop users using PHP to browser other parts of the system.


ZPanel 6

I made sure the above implementations were transferred across and helped with php suhosin on linux.

ZPanel 10.0.0

I introduced the use of PDO and binded variables (base code and example implementation in a module or two). The Sentora team including Bobby and Sam then rewrote the entire application to use the new PDO base class and bound all variables around all the modules and core. If there has been any missed code please report asap to a developer. We can then investigate and make sure to fix active code or remove inactive sections. (https://github.com/zpanel/zpanelx/commit...ad4fc7a5ae, https://github.com/zpanel/zpanelx/commit...985e365aee)

So a shout out to KwiceroLTD - if you find any more sqli issue please let us know!

This was a huge task for the development team and made the overall security of this control panel 100 times better. Also Bobby and Sam both implemented CSRF protection right the way across the application and all modules.

Sentora 1.0.0:

The protected directories module i recently completely rewrote to not use exec any more and eliminated several vulnerabilities, when time allows i'm hoping to continue rewriting each module to be more secure and add additional sanity checks. (https://github.com/zVPS/zvps-zpanelcp-htpasswd)

zsudo ... yes we know about it, has anyone sent a valid pull request to help us out? If so please point me to it. The team are working on a fix for this, most likely it will involve only allowing access to certain commands such as service reloads.

The file permissions do need fixing up, something we will review with an updater.

<hr>

The point of this post really is to say the only aspect of this control panel i have really worked on throughout it's history is the security of the panel:

Postfix default credentials - https://github.com/zpanel/zpanelx/commit...7c7b1d4595
Cronjob blacklist fixed - https://github.com/zpanel/zpanelx/commit...ee937edb4a
System command bind - https://github.com/zpanel/zpanelx/commit...b66501a6a1
Removal of protected directories - https://github.com/zpanel/zpanelx/commit...24be4563cb
Addition of new protected directories - 
Fixed sql query  to use binds - https://github.com/zpanel/zpanelx/commit...730e0ccd8f
Apache reload command - https://github.com/zpanel/zpanelx/commit...f29b0d211d
Implementation of standard class for running commands - https://github.com/zpanel/zpanelx/commit...aacd046cf2
Bind recursion - https://github.com/zpanel/zpanelx/commit...734fca76d1

So please help to secure the panel rather than just bashing the developers, we are actively accepting pull requests, however make sure to keep them small and to target one particular issue at a time. This way they are likely to be accepted quickly without any major reworks of active development.
Reply
Thanks given by:
#36
RE: Sentora - General Security Warning ?
(03-19-2015, 07:47 AM)TGates Wrote: LOL

So, how olds you anyways?

And then; the nail hit the coffin. I've just finished removing Sentora from all of my VPS due to that abbrevition right there, even though I use Sentora for personal uses, I refuse to use a software where their own support staff don't have a clue.

Sorry bobby, but who these people in charge? No disrespect to bobby, he's a smart man but Sentora is going nowhere without him and neither is suhosin, time to cal it a day.


EDIT : Fixed a typo in comments

EDIT 2 Fixed another typo

//
Reply
Thanks given by:
#37
RE: Sentora - General Security Warning ?
I did not read all the reviews in the post, but enough to make my own opinion of the Sentora that I have been having for 2 years.

There is no perfect system and expecting this from something opensource and free is a lot of ingratitude. In return you could report with the corrections or else make donations to the core of Sentora development.

I have great appreciation for Sentora and I look for time to contribute codifications to the community, but even for me that I have appreciation, it is difficult to find time-free.

Yet, Sentora is an essential tool. Thank you community.
Reply
Thanks given by:
#38
RE: Sentora - General Security Warning ?
(03-20-2015, 05:16 AM)KwiceroLTD Wrote: As stated over at LET by a member, Sentora had a chance to change and get rid of bad ZPanel reputation, and instead got it all back again.

First of good post guys, 

1. When you write a new panel you might make the same pitfalls same as before even if it's a different developer. You will use the same permissions, way of coding click here.

2. What to say to all zpanel users? Or current sentora users? Hey guys you know what panel can't be fixed run away and use another panel? No sorry it can be fixed and we will fix it despite all the bad press we could get.

i have same as this,
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Can anyone suggest best Sentora alternative servermaster 1 465 12-22-2023, 10:41 AM
Last Post: TGates
Sentora 2.0 Beta Ron-e 6 12 ,157 01-01-2022, 11:56 AM
Last Post: TGates
Can not access Sentora ThomasMoss 4 6 ,380 01-01-2022, 10:41 AM
Last Post: TGates

Forum Jump:


Users browsing this thread: 2 Guest(s)