(03-22-2015, 12:08 AM)ballen Wrote: With regards to the above post and the 'issues' with the inline variables - that was originally intended to automatically update the DB schema based on class properties etc. called from ZPPY during system upgrades of ZPanel - Like in an active record style system, this can be removed now as it's never called and the fact that that inline variables are not bound was obviously missed from when Kevin implemented the PDO and prepared statements but is irrelevant anyway given that the code is never executed and the class is now deprecated.
I've got better things to do with my time than get involved in this thread as there have been so many like it in the past - most normal people report the issue to the issue tracker and we get it fixed as soon as we can (the MySQL vulnerability) but thanks for the personal attacks - I really appreciate it! - I'm not sure how you come to the conclusion that I clearly don't have any consideration for security!!!! - The code base is very old, I've learn't new things since I originally wrote most of it and was I even responsible for that code.... hmmmm?? https://github.com/sentora/sentora-core/...users/code
Anyway, I'm not wasting anymore of my time here but I've been working on a new version of Sentora that resolves many of the current security concerns and in the past when we hear of vulnerabilities we get them patched ASAP - What some don't realise is that ZPanel/Sentora was originally for Windows only thus not originally designed for Linux permissions etc. the 777 permissions mixed with virtual users and jailing FTP accounts, PHP security hardening was used as a "compromise" - I'm not saying that it's a good idea but the community wanted Linux support so we tried to get it to work with how the panel was currently setup to work whilst still maintaining Windows Support.
Now we've stopped supporting Windows, I've been busy behind the scenes working on a new version that actually implements the *correct* security model for a *NIX only based control panel as we no longer plan to support Windows as a direct decision on security - I've been keeping this development away from the public as it just drains my personal resources when having to reply to various requests, emails etc.etc. so although the current security model is NOT ideal - Yes 777 is BAD but if the server is correctly patched, and no system users exist minus a correctly secured 'root' account as we've always recommended on these forums then seriously for now (until the next version which I'm nearly done on) just how bad is that? - I'm serious, I'd like to know as from my view (as a developer - not a systems administration) I believe we've covered the bases until we've released the next version (actually developed specifically for *NIX).
Maybe it's time for someone else to use so much of their own personal time, ignoring their family and write a panel to replace the current one then, these personal attacks just depress me, get me down and ultimately make me question why I even try to improve a product that I've already spent so many hours on previously and only ever have good intention on...
I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
