Forum

tiagozanchettin · 08-28-2015, 10:29 PM

Hello, I would like community input on this matter.

If this is true, I wanted settings for security almentar.

We are issuing a general security warning to all users of Sentora to bring attention to the lack of security within their software.

Sentora, a fork of ZPanel, contains numerous high priority security vulnerabilities that could allow any untrusted users to obtain root access with little to no effort. In one case, a highly publicized security vulnerability that was present within ZPanel still exists in Sentora.

The use of this control panel in an untrusted environment is a bad idea and we must strongly discourage such activity at this time. Sentora is NOT ready for production use in the 'real world' and continued use will put you at risk of being compromised.

We're seeing Sentora be recommended more frequently on various forums; Please stop that until further notice. Normally we do not issue a general security warning, but due to the continued recommendations and lack of knowledge by the developer(s), we simply cannot allow such insecure software to plague the hosting community.

Fonte: http://www.webhostingtalk.com/showthread.php?p=9399137

Ron-e · 08-29-2015, 03:09 AM

Seriously?
this all over again?
You know there is an search option on every forum?

TGates · 08-29-2015, 05:03 AM

The vulnerability mentioned (SQL injection) is no longer in use. (Should removed or updated, Me.B if it isn't already?) I do not remember the specifics of the fix for it since it was way back in March. I'll look into it.

Me.B · (This post was last modified: 08-29-2015, 07:55 AM by Me.B.)

CGI is not unabled so beside escalation using zsudo (if you gain acess yo panel root!), I don't see any issue.

Whatch the patches in sentora we disabled completly cgi so you can't use it for directory travesrsal. I discussed with them and they only raised that issue.

I will be happy with all team members to fix issues we know and the above is simple copy and paste what's new there?

TGates · 08-29-2015, 08:40 AM

That's what I though, wanted to confirm, Thanks Me.B.

As I get time I'll update that file to prepared statements so no worries down the road if we use that file again.

Me.B · 08-29-2015, 09:26 AM

And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B

iTpain · 12-21-2015, 08:42 AM

is zsudo removed now or is still in use

(08-29-2015, 09:26 AM)Me.B Wrote: And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B

apinto · 12-22-2015, 02:34 AM

(12-21-2015, 08:42 AM)iTpain Wrote: is zsudo removed now or is still in use

(08-29-2015, 09:26 AM)Me.B Wrote: And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B

Still in use.
Still safe to use thou

Vedran B · (This post was last modified: 01-14-2016, 11:46 PM by Vedran B.)

(12-22-2015, 02:34 AM)apinto Wrote:
(12-21-2015, 08:42 AM)iTpain Wrote: is zsudo removed now or is still in use

(08-29-2015, 09:26 AM)Me.B Wrote: And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B

Still in use.
Still safe to use thou

Until it is done a half mesure is to chown your sentora directories down to apache user and chmod them to 770 so sentora can still read and write all the config files but random system users cannot zsudo themselfs up to root or read the /etc/sentora config files and obtain plain text passwords.

Going to break some services

Possibly Related Threads…
Thread	Author	Replies	Views	Last Post
Is Sentora dead?	rajeevrrs	2	3 ,057	12-17-2022, 09:20 AM Last Post: TGates
Sentora debug and error files	johnnyp	0	1 ,186	10-27-2022, 06:16 PM Last Post: johnnyp
Transfer Account to another Sentora	BenI	1	2 ,623	07-21-2022, 07:19 PM Last Post: Nigel