RE: Sentora Poorly managed hosting accounts
07-15-2015, 03:30 AM
(This post was last modified: 07-15-2015, 03:33 AM by Me.B.)
ahsan ( got the PM this morning so now checking and replying).
1. Perl/CGI are not supported and are totally unsecure for use under sentora.
Anything that would require Perl/CGI here won't work as we never install such packages or deploy the config to support them. We even disable all the related modules in apache.
2. SSH access is never provided for any user. We don't support it and don't think we will plan even if we jail each user.
See here:
http://forums.sentora.org/showthread.php?tid=1333
On first 1.0 release we left CGI ( enabled by default ) on centos 6 while on centos 7 and ubuntu 12/14 it's disabled by default. So you can't run any CGI script.
So what root kit you used here? I will be happy to test over this again.
Seem your exploit worked on centos 6.5? Did you test centos 7 install? Which installer did you use exactly? Feel free to PM me the infos if you can too.
What I see is directory traversal using CGI. We mainly disabled CGI so you can't in anyway set a symbolic link for other directories as CGI is not correctly sandboxed in previous releases. This is why we issued a patch that was merged into the installer that will remove all CGI modules from centos 6.5.
M B
1. Perl/CGI are not supported and are totally unsecure for use under sentora.
Anything that would require Perl/CGI here won't work as we never install such packages or deploy the config to support them. We even disable all the related modules in apache.
2. SSH access is never provided for any user. We don't support it and don't think we will plan even if we jail each user.
See here:
http://forums.sentora.org/showthread.php?tid=1333
On first 1.0 release we left CGI ( enabled by default ) on centos 6 while on centos 7 and ubuntu 12/14 it's disabled by default. So you can't run any CGI script.
So what root kit you used here? I will be happy to test over this again.
Seem your exploit worked on centos 6.5? Did you test centos 7 install? Which installer did you use exactly? Feel free to PM me the infos if you can too.
What I see is directory traversal using CGI. We mainly disabled CGI so you can't in anyway set a symbolic link for other directories as CGI is not correctly sandboxed in previous releases. This is why we issued a patch that was merged into the installer that will remove all CGI modules from centos 6.5.
M B
No support using PM (Auto adding to IGNORE list!), use the forum.
How to ask
Freelance AWS Certified Architect & SysOps// DevOps
10$ free to start your VPS
How to ask
Freelance AWS Certified Architect & SysOps// DevOps
10$ free to start your VPS
