This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora - General Security Warning
#1
Sentora - General Security Warning
Hello, I would like community input on this matter.


If this is true, I wanted settings for security almentar.

We are issuing a general security warning to all users of Sentora to bring attention to the lack of security within their software.

Sentora, a fork of ZPanel, contains numerous high priority security vulnerabilities that could allow any untrusted users to obtain root access with little to no effort. In one case, a highly publicized security vulnerability that was present within ZPanel still exists in Sentora.

The use of this control panel in an untrusted environment is a bad idea and we must strongly discourage such activity at this time. Sentora is NOT ready for production use in the 'real world' and continued use will put you at risk of being compromised.

We're seeing Sentora be recommended more frequently on various forums; Please stop that until further notice. Normally we do not issue a general security warning, but due to the continued recommendations and lack of knowledge by the developer(s), we simply cannot allow such insecure software to plague the hosting community.

Fonte: http://www.webhostingtalk.com/showthread.php?p=9399137
Reply
Thanks given by:
#2
RE: Sentora - General Security Warning
Seriously?
this all over again?
You know there is an search option on every forum?

My Sentora DemoMy GithubAuxio Github
Zentora themeS-Type themeCstyleX theme
flat-color-iconssmall-n-flat-icons

Sentora's development takes way too long, so i'm transitioning to HestiaCP.
Reply
Thanks given by:
#3
RE: Sentora - General Security Warning
The vulnerability mentioned (SQL injection) is no longer in use. (Should removed or updated, Me.B if it isn't already?) I do not remember the specifics of the fix for it since it was way back in March. I'll look into it.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#4
RE: Sentora - General Security Warning
CGI is not unabled so beside escalation using zsudo (if you gain acess yo panel root!), I don't see any issue.

Whatch the patches in sentora we disabled completly cgi so you can't use it for directory travesrsal. I discussed with them and they only raised that issue.

I will be happy with all team members to fix issues we know and the above is simple copy and paste what's new there?
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#5
RE: Sentora - General Security Warning
That's what I though, wanted to confirm, Thanks Me.B.

As I get time I'll update that file to prepared statements so no worries down the road if we use that file again.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#6
RE: Sentora - General Security Warning
And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#7
RE: Sentora - General Security Warning
is zsudo removed now or is still in use
(08-29-2015, 09:26 AM)Me.B Wrote: And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B
Reply
Thanks given by:
#8
RE: Sentora - General Security Warning
(12-21-2015, 08:42 AM)iTpain Wrote: is zsudo removed now or is still in use
(08-29-2015, 09:26 AM)Me.B Wrote: And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B

Still in use.
Still safe to use thou
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#9
RE: Sentora - General Security Warning
(12-22-2015, 02:34 AM)apinto Wrote:
(12-21-2015, 08:42 AM)iTpain Wrote: is zsudo removed now or is still in use
(08-29-2015, 09:26 AM)Me.B Wrote: And zsudo will be wiped out soon from sentora... that would close all those stories over that.

And we will plan to change the whole security model.

M B

Still in use.
Still safe to use thou

Until it is done a half mesure is to chown your sentora directories down to apache user and chmod them to 770 so sentora can still read and write all the config files but random system users cannot zsudo themselfs up to root or read the /etc/sentora config files and obtain plain text passwords.

Going to break some services
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Is Sentora dead? rajeevrrs 2 3 ,971 12-17-2022, 09:20 AM
Last Post: TGates
Sentora debug and error files johnnyp 0 1 ,590 10-27-2022, 06:16 PM
Last Post: johnnyp
Transfer Account to another Sentora BenI 1 3 ,333 07-21-2022, 07:19 PM
Last Post: Nigel

Forum Jump:


Users browsing this thread: 8 Guest(s)