Forum

This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.
Sentora Support Forums Sentora Forum Archives Sentora Public Support Forums v1.0.x General Support Forum v1.0.x v Security issues after zpanel->sentora upgrade

Security issues after zpanel->sentora upgrade
Vedran B Offline
Sentora Member
*
OS: CentOS 6.7
Version: 1.0.3
Server: VPS
Posts: 24
Threads: 5
Joined: Jan 2016
Reputation: 0
Sex: Male
Thanks: 3
Given 2 thank(s) in 2 post(s)
#1
Security issues after zpanel->sentora upgrade
 01-11-2016, 04:37 AM
Hello all,

It's my first post so I might have missed the forum for the thread, sorry for that.

After upgrading from zpanel to sentora 1.0.3 I've noticed the following:

1) /etc/apps/phpsysinfo is now publicly available without the need to login to panel first.
I don't know if it is the right way (please advise) but I've added this:
Code:
session_start();
if (!isset($_SESSION['zpuid'])) {
   echo "<h1>Unauthorised request!</h1><p>You must be logged in before you are able to view PHP configuration on this server.</p>";
exit;
}
into: /etc/sentora/panel/etc/apps/phpsysinfo/index.php

* I've added the same code to the phpmyadmins index.php too so it wouldn't be accessible for brute force attacks to the world wide web.

2) all the sentora dirs under /etc/sentora are accessible to any linux user, they can grep passwords from them, delete the files or modify them to include custom code.
Will sentora break if I change permissions to this folders ?
 


Thanks,
Vedran
Find
Reply
Thanks given by:
jacobg830 Offline
Sentora Staff
*****
OS: Ubuntu 14.04
Version: 1.0.3
Server: VPS
Posts: 218
Threads: 10
Joined: Jun 2014
Reputation: 6
Sex: Undisclosed
Thanks: 24
Given 26 thank(s) in 20 post(s)
#2
RE: Security issues after zpanel->sentora upgrade
 01-11-2016, 06:05 AM
Hi,

1) Is known and I submitted a patch a few days ago. It seems it was incorrectly updated last time and did not include the above code. That is the correct code and it should be added to the top of phpSysInfo's index.php and xml.php.

2) It is assumed the server is only accessible by admin and does not include other SSH users. Changing permissions is unsupported (may or may not work). Obviously this isn't ideal but it is how ZPanel was designed to be easily cross-platform.
Before posting, update your profile with your OS, Sentora version and server type!

Linode - Lightning-Quick SSD Servers for Only $10/mo
Find
Reply
Thanks given by:
Me.B Offline
Sentora Freak
**
OS: Linux/windows
Version: 1.0.3
Server: Dedicated/VPS/Cloud
Posts: 4 ,004
Threads: 193
Joined: Jul 2014
Reputation: 83
Sex: Undisclosed
Thanks: 68
Given 433 thank(s) in 393 post(s)
#3
RE: Security issues after zpanel->sentora upgrade
 01-11-2016, 11:50 PM
If you want any user without logging access phpmyadmin.

Then create a subdomain for phpmyadmin and put the files there. ( notice sentora won't update it any more ).

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Find
Reply
Thanks given by: Vedran B
Vedran B Offline
Sentora Member
*
OS: CentOS 6.7
Version: 1.0.3
Server: VPS
Posts: 24
Threads: 5
Joined: Jan 2016
Reputation: 0
Sex: Male
Thanks: 3
Given 2 thank(s) in 2 post(s)
#4
RE: Security issues after zpanel->sentora upgrade
 01-12-2016, 07:45 AM
(01-11-2016, 11:50 PM)Me.B Wrote: If you want any user without logging access phpmyadmin.

Then create a subdomain for phpmyadmin and put the files there. ( notice sentora won't update it any more ).

M B

Hi Me.B,

Thanks for the tip, but i acctually wanted to strengthen the security some more.
I have to correct myself, the code i wrote about in my post and added to phpmyadmins php file will not work properly.

A better way I found for restricting the access is adding the following code to the: /etc/sentora/panel/etc/apps/phpmyadmin/index.php
Code:
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://panel-url-of-yoursite.com/?module=phpmyadmin')
 die("<h1>Unauthorised request!</h1><p>You must be logged in before you are able to view this page.</p>");
Find
Reply
Thanks given by:
Me.B Offline
Sentora Freak
**
OS: Linux/windows
Version: 1.0.3
Server: Dedicated/VPS/Cloud
Posts: 4 ,004
Threads: 193
Joined: Jul 2014
Reputation: 83
Sex: Undisclosed
Thanks: 68
Given 433 thank(s) in 393 post(s)
#5
RE: Security issues after zpanel->sentora upgrade
 01-12-2016, 08:42 PM
HTTP_REFERER can be easily forged.

You should instead use a .htaccess to restrict access only on http://panel-url-of-yoursite.com and you can add a check if user authentificated in phpmyadmin header as your code mainly check if the refer link is module that's all while session authentificated or not.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Find
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Is Sentora dead? rajeevrrs 2 2 ,992 12-17-2022, 09:20 AM
Last Post: TGates
Sentora debug and error files johnnyp 0 1 ,158 10-27-2022, 06:16 PM
Last Post: johnnyp
Transfer Account to another Sentora BenI 1 2 ,570 07-21-2022, 07:19 PM
Last Post: Nigel

Forum Jump:


Users browsing this thread: 1 Guest(s)