Forum

ahsan · 07-15-2015, 03:09 AM

apinto you're not getting the point here bro.
Don't use perl. Use a PHP Script. It'll do the job for you. Read my replies above your post. I did nothing. Just uploaded the script and an .htaccess file.
An attacker would do that.
P.S You have to secure your system from attackers, not by yourself.

Me.B · (This post was last modified: 07-15-2015, 03:33 AM by Me.B.)

ahsan ( got the PM this morning so now checking and replying).

1. Perl/CGI are not supported and are totally unsecure for use under sentora.
Anything that would require Perl/CGI here won't work as we never install such packages or deploy the config to support them. We even disable all the related modules in apache.

2. SSH access is never provided for any user. We don't support it and don't think we will plan even if we jail each user.

See here:

http://forums.sentora.org/showthread.php?tid=1333

On first 1.0 release we left CGI ( enabled by default ) on centos 6 while on centos 7 and ubuntu 12/14 it's disabled by default. So you can't run any CGI script.

So what root kit you used here? I will be happy to test over this again.

Seem your exploit worked on centos 6.5? Did you test centos 7 install? Which installer did you use exactly? Feel free to PM me the infos if you can too.

What I see is directory traversal using CGI. We mainly disabled CGI so you can't in anyway set a symbolic link for other directories as CGI is not correctly sandboxed in previous releases. This is why we issued a patch that was merged into the installer that will remove all CGI modules from centos 6.5.
M B

ahsan · 07-15-2015, 03:44 AM

(07-15-2015, 03:30 AM)Me.B Wrote: @[ahsan] ( got the PM this morning so now checking and replying).

1. Perl/CGI are not supported and are totally unsecure for use under sentora.
Anything that would require Perl/CGI here won't work as we never install such packages or deploy the config to support them. We even disable all the related modules in apache.

2. SSH access is never provided for any user. We don't support it and don't think we will plan even if we jail each user.

See here:

http://forums.sentora.org/showthread.php?tid=1333

On first 1.0 release we left CGI ( enabled by default ) on centos 6 while on centos 7 and ubuntu 12/14 it's disabled by default. So you can't run any CGI script.

So what root kit you used here? I will be happy to test over this again.

Seem your exploit worked on centos 6.5? Did you test centos 7 install? Which installer did you use exactly? Feel free to PM me the infos if you can too.

What I see is directory traversal using CGI. We mainly disabled CGI so you can't in anyway set a symbolic link for other directories as CGI is not correctly sandboxed in previous releases. This is why we issued a patch that was merged into the installer that will remove all CGI modules from centos 6.5.
M B

Check your PM please

Me.B · 07-15-2015, 08:30 AM

Got it and replied thanks

apinto · 07-16-2015, 01:55 AM

Fixed https://github.com/sentora/sentora-core/issues/189

Me.B · 07-16-2015, 02:42 AM

ok good I need to validate my other side too.

M B

Dave · 07-16-2015, 02:50 AM

Is this how ahsan was able to do the hack in the video because of this module?
I have disabled it in the Admin Module to all users including Admin will that be safe?
I am running AWServer+ZepanelX on windows 7.

apinto · 07-16-2015, 04:45 AM

(07-16-2015, 02:50 AM)Dave Wrote: Is this how ahsan was able to do the hack in the video because of this module?
I have disabled it in the Admin Module to all users including Admin will that be safe?
I am running AWServer+ZepanelX on windows 7.

ahsan was able to hack using a installed perl script (that is disabled by default on sentora, so unless you enabled perl by yourself that hack will not have any effect on your case.

That said, disabling FTP Module was a wise move for now, but the issue was already fixed and a patch should be released very soon.

Ron-e · 07-16-2015, 05:55 AM

(07-16-2015, 04:45 AM)apinto Wrote: ahsan was able to hack using a installed perl script (that is disabled by default on sentora, so unless you enabled perl by yourself that hack will not have any effect on your case.

The windows version from MarkDark (AWServer) has PERL installed (see link and/or quote below), so windows users are possible vulnerable for this hack.

(06-19-2015, 12:57 AM)MarkDark Wrote: As a basic platform for the server, the following components:

Apache v2.2.29
PHP v5.5.26 + PEAR
MySQL v5.5.43
Perl v5.16.3
ImageMagick v6.9.0
FileZilla v0.9.49
hMailServer v5.4.2-B1964
nnCronLie v1.17
BIND v9.9.7
Sendmail for Win v1.0
Webalizer v2.23-04 + GeoIP
nnBackup v3.01

Dave · 07-17-2015, 06:57 PM

(07-16-2015, 05:55 AM)Ron-e Wrote:
(07-16-2015, 04:45 AM)apinto Wrote: ahsan was able to hack using a installed perl script (that is disabled by default on sentora, so unless you enabled perl by yourself that hack will not have any effect on your case.

The windows version from MarkDark (AWServer) has PERL installed (see link and/or quote below), so windows users are possible vulnerable for this hack.

(06-19-2015, 12:57 AM)MarkDark Wrote: As a basic platform for the server, the following components:

Apache v2.2.29
PHP v5.5.26 + PEAR
MySQL v5.5.43
Perl v5.16.3
ImageMagick v6.9.0
FileZilla v0.9.49
hMailServer v5.4.2-B1964
nnCronLie v1.17
BIND v9.9.7
Sendmail for Win v1.0
Webalizer v2.23-04 + GeoIP
nnBackup v3.01

Thats right Ron-e there is Perl v5.16.3 on AWServer on windows. If MarkDark can reply on its security issue?

For the time being i took the folder Perl out of the AWServer folder on Windows 7 so there is no Perl present (the folder at least) i dont now if security wise that be a fast fix for now.

Possibly Related Threads…
Thread	Author	Replies	Views	Last Post
Update redirect to Sentora login to an error page if a sub domain does not exist	TGates	0	1 ,839	01-28-2024, 06:20 AM Last Post: TGates
Need Sentora HELP ?	Alemiz	4	11 ,478	10-26-2018, 04:09 PM Last Post: republicus
Sentora Feedback and Ideas	Xversion	10	29 ,093	10-28-2017, 06:49 AM Last Post: TGates