This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Security issues after zpanel->sentora upgrade
#1
Security issues after zpanel->sentora upgrade
Hello all,

It's my first post so I might have missed the forum for the thread, sorry for that.

After upgrading from zpanel to sentora 1.0.3 I've noticed the following:

1) /etc/apps/phpsysinfo is now publicly available without the need to login to panel first.
I don't know if it is the right way (please advise) but I've added this:
Code:
session_start();
if (!isset($_SESSION['zpuid'])) {
   echo "<h1>Unauthorised request!</h1><p>You must be logged in before you are able to view PHP configuration on this server.</p>";
exit;
}
into: /etc/sentora/panel/etc/apps/phpsysinfo/index.php

* I've added the same code to the phpmyadmins index.php too so it wouldn't be accessible for brute force attacks to the world wide web.

2) all the sentora dirs under /etc/sentora are accessible to any linux user, they can grep passwords from them, delete the files or modify them to include custom code.
Will sentora break if I change permissions to this folders ?
 


Thanks,
Vedran
Reply
Thanks given by:
#2
RE: Security issues after zpanel->sentora upgrade
Hi,

1) Is known and I submitted a patch a few days ago. It seems it was incorrectly updated last time and did not include the above code. That is the correct code and it should be added to the top of phpSysInfo's index.php and xml.php.

2) It is assumed the server is only accessible by admin and does not include other SSH users. Changing permissions is unsupported (may or may not work). Obviously this isn't ideal but it is how ZPanel was designed to be easily cross-platform.
Before posting, update your profile with your OS, Sentora version and server type!

Reply
Thanks given by:
#3
RE: Security issues after zpanel->sentora upgrade
If you want any user without logging access phpmyadmin.

Then create a subdomain for phpmyadmin and put the files there. ( notice sentora won't update it any more ).

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by: Vedran B
#4
RE: Security issues after zpanel->sentora upgrade
(01-11-2016, 11:50 PM)Me.B Wrote: If you want any user without logging access phpmyadmin.

Then create a subdomain for phpmyadmin and put the files there. ( notice sentora won't update it any more ).

M B

Hi Me.B,

Thanks for the tip, but i acctually wanted to strengthen the security some more.
I have to correct myself, the code i wrote about in my post and added to phpmyadmins php file will not work properly.

A better way I found for restricting the access is adding the following code to the: /etc/sentora/panel/etc/apps/phpmyadmin/index.php
Code:
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://panel-url-of-yoursite.com/?module=phpmyadmin')
 die("<h1>Unauthorised request!</h1><p>You must be logged in before you are able to view this page.</p>");
Reply
Thanks given by:
#5
RE: Security issues after zpanel->sentora upgrade
HTTP_REFERER can be easily forged.

You should instead use a .htaccess to restrict access only on http://panel-url-of-yoursite.com and you can add a check if user authentificated in phpmyadmin header as your code mainly check if the refer link is module that's all while session authentificated or not.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Is Sentora dead? rajeevrrs 2 3 ,971 12-17-2022, 09:20 AM
Last Post: TGates
Sentora debug and error files johnnyp 0 1 ,590 10-27-2022, 06:16 PM
Last Post: johnnyp
Transfer Account to another Sentora BenI 1 3 ,334 07-21-2022, 07:19 PM
Last Post: Nigel

Forum Jump:


Users browsing this thread: 3 Guest(s)