Forum

Vedran B · 01-11-2016, 04:37 AM

Hello all,

It's my first post so I might have missed the forum for the thread, sorry for that.

After upgrading from zpanel to sentora 1.0.3 I've noticed the following:

1) /etc/apps/phpsysinfo is now publicly available without the need to login to panel first.
I don't know if it is the right way (please advise) but I've added this:

Code:
session_start();

if (!isset($_SESSION['zpuid'])) {

    echo "<h1>Unauthorised request!</h1><p>You must be logged in before you are able to view PHP configuration on this server.</p>";

exit;

}

into: /etc/sentora/panel/etc/apps/phpsysinfo/index.php

* I've added the same code to the phpmyadmins index.php too so it wouldn't be accessible for brute force attacks to the world wide web.

2) all the sentora dirs under /etc/sentora are accessible to any linux user, they can grep passwords from them, delete the files or modify them to include custom code.
Will sentora break if I change permissions to this folders ?

Thanks,
Vedran

jacobg830 · 01-11-2016, 06:05 AM

Hi,

1) Is known and I submitted a patch a few days ago. It seems it was incorrectly updated last time and did not include the above code. That is the correct code and it should be added to the top of phpSysInfo's index.php and xml.php.

2) It is assumed the server is only accessible by admin and does not include other SSH users. Changing permissions is unsupported (may or may not work). Obviously this isn't ideal but it is how ZPanel was designed to be easily cross-platform.

Me.B · 01-11-2016, 11:50 PM

If you want any user without logging access phpmyadmin.

Then create a subdomain for phpmyadmin and put the files there. ( notice sentora won't update it any more ).

M B

Vedran B · 01-12-2016, 07:45 AM

(01-11-2016, 11:50 PM)Me.B Wrote: If you want any user without logging access phpmyadmin.

Then create a subdomain for phpmyadmin and put the files there. ( notice sentora won't update it any more ).

M B

Hi Me.B,

Thanks for the tip, but i acctually wanted to strengthen the security some more.
I have to correct myself, the code i wrote about in my post and added to phpmyadmins php file will not work properly.

A better way I found for restricting the access is adding the following code to the: /etc/sentora/panel/etc/apps/phpmyadmin/index.php

Code:
$ref = $_SERVER['HTTP_REFERER'];

if($ref !== 'http://panel-url-of-yoursite.com/?module=phpmyadmin')

  die("<h1>Unauthorised request!</h1><p>You must be logged in before you are able to view this page.</p>");

Me.B · 01-12-2016, 08:42 PM

HTTP_REFERER can be easily forged.

You should instead use a .htaccess to restrict access only on http://panel-url-of-yoursite.com and you can add a check if user authentificated in phpmyadmin header as your code mainly check if the refer link is module that's all while session authentificated or not.

M B

Possibly Related Threads…
Thread	Author	Replies	Views	Last Post
Is Sentora dead?	rajeevrrs	2	3 ,971	12-17-2022, 09:20 AM Last Post: TGates
Sentora debug and error files	johnnyp	0	1 ,590	10-27-2022, 06:16 PM Last Post: johnnyp
Transfer Account to another Sentora	BenI	1	3 ,334	07-21-2022, 07:19 PM Last Post: Nigel