Posts: 50
Threads: 5
Joined: Oct 2014
Reputation:
0
Sex: Undisclosed
Thanks: 1
Given 10 thank(s) in 9 post(s)
Sentora - General Security Warning ?
03-19-2015, 02:06 AM
(This post was last modified: 03-19-2015, 02:12 AM by Active8.)
I saw this tread, it seems that Sentora devolpers already knowing this?
http://www.webhostingtalk.com/showthread.php?p=9399137
Posts: 4 ,002
Threads: 193
Joined: Jul 2014
Reputation:
83
Sex: Undisclosed
Thanks: 72
Given 435 thank(s) in 395 post(s)
RE: Sentora - General Security Warning ?
03-19-2015, 07:21 AM
Thanks for the heads up... I'm trying to reply there and would be happy if they have serious feedback.
M B
Posts: 3 ,663
Threads: 241
Joined: May 2014
Reputation:
85
Sex: Male
Thanks: 408
Given 599 thank(s) in 464 post(s)
RE: Sentora - General Security Warning ?
03-19-2015, 07:47 AM
Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!
EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL
-TGates - Project Council
SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE
Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Posts: 525
Threads: 23
Joined: Mar 2015
Reputation:
26
Sex: Male
Thanks: 139
Given 104 thank(s) in 87 post(s)
RE: Sentora - General Security Warning ?
03-19-2015, 10:03 PM
Seriously, these "insecure software" will be around till the end of Sentora time and some years after that.
It's the same as for WordPress, Joomla, WooCommerce, OpenCart etc. If it's free and has good quality theres ALWAYS someone that is afraid to loose money because they can no longer sell their beloved proprietary Software.
From what I've read the Sentora security flaws that everyone talks about are related to bad configs, but who in their plain minded state does setup a Hosting Business on top of a "out of the box" software (either sentora or other one)?
Meh... Try to figure if there is really some real flaw but do never get demotivated because of articles/posts like that, they are a proof of success in my opinion.
Keep up the good work Sentora Team
Posts: 3 ,663
Threads: 241
Joined: May 2014
Reputation:
85
Sex: Male
Thanks: 408
Given 599 thank(s) in 464 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 02:32 AM
Thanks for the encouragement apinto
-TGates - Project Council
SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE
Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Posts: 14
Threads: 1
Joined: Mar 2015
Reputation:
1
Thanks: 3
Given 0 thank(s) in 0 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 04:14 AM
(03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!
EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL
I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code: $sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");
Just a prime example, a safer practice would be:
Code: $sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));
Therefore removing the possibility of SQL injection.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
Posts: 4 ,002
Threads: 193
Joined: Jul 2014
Reputation:
83
Sex: Undisclosed
Thanks: 72
Given 435 thank(s) in 395 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 04:53 AM
(03-20-2015, 04:14 AM)KwiceroLTD Wrote: (03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!
EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL
I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code: $sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");
Just a prime example, a safer practice would be:
Code: $sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));
Therefore removing the possibility of SQL injection.
Thanks for the input we care for security and the above statement express only the point of view of TOM. You know we are many trying here our best and we might have different expertise area.
OK I agree SQL injection might be better prevented, I've even gone further and asked we move to stored procedures!
Posts: 14
Threads: 1
Joined: Mar 2015
Reputation:
1
Thanks: 3
Given 0 thank(s) in 0 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 05:00 AM
(03-20-2015, 04:53 AM)Me.B Wrote: (03-20-2015, 04:14 AM)KwiceroLTD Wrote: (03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!
EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL
I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code: $sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");
Just a prime example, a safer practice would be:
Code: $sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));
Therefore removing the possibility of SQL injection.
Thanks for the input we care for security and the above statement express only the point of view of TOM. You know we are many trying here our best and we might have different expertise area.
OK I agree SQL injection might be better prevented, I've even gone further and asked we move to stored procedures!
Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
Posts: 4 ,002
Threads: 193
Joined: Jul 2014
Reputation:
83
Sex: Undisclosed
Thanks: 72
Given 435 thank(s) in 395 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 05:10 AM
(03-20-2015, 05:00 AM)KwiceroLTD Wrote: Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.
Not so true. We can fix all the issues that were raised over permissions/CGI/Zsudo in easy way. This had been discussed in internal section and lined up plans/solutions.
It's easy to start a new project for some than fixing the existing. I don't believe that. For many reasons:
1. When you write a new panel you might make the same pitfalls same as before even if it's a different developer. You will use the same permissions, way of coding.
2. What to say to all zpanel users? Or current sentora users? Hey guys you know what panel can't be fixed run away and use another panel? No sorry it can be fixed and we will fix it despite all the bad press we could get.
Security might not be perfect but with feedback (I've been calling for feedback since month's in low end and all I got is bashing and now one able to make a serious review!).
M B
Posts: 14
Threads: 1
Joined: Mar 2015
Reputation:
1
Thanks: 3
Given 0 thank(s) in 0 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 05:16 AM
(03-20-2015, 05:10 AM)Me.B Wrote: (03-20-2015, 05:00 AM)KwiceroLTD Wrote: Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.
Not so true. We can fix all the issues that were raised over permissions/CGI/Zsudo in easy way. This had been discussed in internal section and lined up plans/solutions.
It's easy to start a new project for some than fixing the existing. I don't believe that. For many reasons:
1. When you write a new panel you might make the same pitfalls same as before even if it's a different developer. You will use the same permissions, way of coding.
2. What to say to all zpanel users? Or current sentora users? Hey guys you know what panel can't be fixed run away and use another panel? No sorry it can be fixed and we will fix it despite all the bad press we could get.
Security might not be perfect but with feedback (I've been calling for feedback since month's in low end and all I got is bashing and now one able to make a serious review!).
M B
As stated over at LET by a member, Sentora had a chance to change and get rid of bad ZPanel reputation, and instead got it all back again.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
|