I'm willing to take some of the stress Bobby - delegate a little?
Sentora - General Security Warning ?
|
Thanks given by: KwiceroLTD
(03-22-2015, 12:08 AM)ballen Wrote: With regards to the above post and the 'issues' with the inline variables - that was originally intended to automatically update the DB schema based on class properties etc. called from ZPPY during system upgrades of ZPanel - Like in an active record style system, this can be removed now as it's never called and the fact that that inline variables are not bound was obviously missed from when Kevin implemented the PDO and prepared statements but is irrelevant anyway given that the code is never executed and the class is now deprecated. I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
Thanks given by: KwiceroLTD
(03-23-2015, 06:24 AM)Active8 Wrote:(03-23-2015, 04:01 AM)KwiceroLTD Wrote: I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code. I'd like to see that... You're not the first to have said something along those line and guess what... two years later we're still waiting!! Ultimately people need to start putting their money where the mouth is.... everyone around here seem to have the "solutions" but no one seems to implement them or take responsibility when they believe that they have the ultimate security implementation when in reality... yeah! - Even members of the existing team, Me.B and 5050 for example both have good ideas but are they implemented yet? - I fully understand that this version of Sentora needs a complete rewrite, it was never designed to work as a *NIX panel initially... the panel code (web teir) could use some massive improvements from a software development point of view and therefore that is why I have been writing a new version, of which benefits from unit testing, properly designed template engines and various other things that previously does not exist in Sentora but anyway some of the team members beleive that we don't need a new verison and simply cementing over the cracks in the existing version will do.... Personally I don't but hey, who am I anymore! This project is open source - people should make complete (properly tested) pull requests and help fix the issues or, rightly so and as I've previously stated above... write a new version that is actually designed to work on *NIX rather than a hack-up of the original version designed for MS Windows to work with *NIX as I've posted in my post above. Anyway, I've had enough of all of this shit, I have absolutely no problem is writing secure code, and yeah sometimes people make mistakes but you learn from them.... and it pisses me off to think that people are "mad at me" to think that I've only ever done what I believe was right and yeah ok, it may be my misunderstanding of all components (Linux security but yeah someone has still to explain to me why with the absence of system accounts the 777 is so bad given that we've already raised this as an issue and recommend against it as an interim solution??!!!) This is an open-source project - people should be helping rather than just slating the project and me in general. I suggest that the remaining team members push their ideas and take this project to higher places... I'm personally out now, I've had enough and I'm sure that in the mean time all you haters will be like "yeah great, the security n00b has gone" but hey, lets see what happens next! I wish you all the best with the project and honestly hope that you can find the time and determination that I no longer have to turn it into something much better.
Follow me on Twitter or find out more about me at bobbyallen.me
(03-23-2015, 10:44 PM)ballen Wrote:(03-23-2015, 06:24 AM)Active8 Wrote:(03-23-2015, 04:01 AM)KwiceroLTD Wrote: I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code. I already told you I'd do a rewrite on the condition it isn't turned into vulnerable code again, if that's what you want I'll do it. If any developers want to join me they can, but it'll be a complete, 100% rewrite of the code and design - no original ZPanel/Sentora code will be used. Proper security practices will be put in place, and I'll pay to have it audited (out of my own personal funds) upon completion by security firms.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
RE: Sentora - General Security Warning ?
03-23-2015, 11:11 PM
(This post was last modified: 03-23-2015, 11:12 PM by ballen.)
How could it possibly fall back into "vulnerable code again" when I've just given my resignation from the project to the rest of the team - As you've seem to imply as with the other "security people", I'm clearly the problem here (and as such, no more the problem).
Good luck!
Follow me on Twitter or find out more about me at bobbyallen.me
Thanks given by: Me.B
(03-23-2015, 11:11 PM)ballen Wrote: How could it possibly fall back into "vulnerable code again" when I've just given my resignation from the project to the rest of the team - As you've seem to imply as with the other "security people", I'm clearly the problem here (and as such, no more the problem). I never stated you were the problem, I stated the code was the problem, the fact you ported it from ZPanel which was already vulnerable, was the problem.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
(03-23-2015, 10:44 PM)ballen Wrote: I'm personally out now, I've had enough and I'm sure that in the mean time all you haters will be like "yeah great, the security n00b has gone" but hey, lets see what happens next! I am really sad to read this, there are lots of people (including me) who very much appreciate you for all you have done for Zpanel and Sentora. But i can see that all the people who only give bad comments about it eat up all your enthusiasm for this project. Hope it's not for ever and we will see you back soon! ●
● My Sentora Demo ● My Github ● Auxio Github ● ● Zentora theme ● S-Type theme ● CstyleX theme ● ● flat-color-icons ● small-n-flat-icons ● ● Sentora's development takes way too long, so i'm transitioning to HestiaCP.
RE: Sentora - General Security Warning ?
03-24-2015, 06:05 PM
(This post was last modified: 03-24-2015, 06:07 PM by steva.)
Sentora is GREAT project.
This is my first post on this forum. I'm still at the stage of research and testing free panels for services provided by my company , and Sentora is definitely a choice we make . When it comes to the average end user , in a market there is a simple and efficient tool . Even before he started the discussion about security vulnerabilities, it was weird to just what is the subject of discussion , just like the backup file that is in .zip format , which , as is well known not recorded linux settings for files and folders. I hope that the concerned problem is overcome by hard correcting code, you have all my support , Sentora project must continue to live ! And finally, a question for the gurus linux security : is there a way to overcome the current security problem at the moment, until the release of a new version Sentora . For example, if on VM i close the SSH access , or ............. something? (03-24-2015, 06:05 PM)steva Wrote: Sentora is GREAT project. There is ways and we are currently working on it. I will announce a patch for centos 6.x that fix a mis-configuration already as CGI remain activated. Zsudo is getting removed too. We are doing our best and all feedback is welcome with due respect to all dev team and energy we put in this project.
No support using PM (Auto adding to IGNORE list!), use the forum.
How to ask 200$ free to start your VPS 60 days credit |
« Next Oldest | Next Newest »
|
Possibly Related Threads… | |||||
Thread | Author | Replies | Views | Last Post | |
Can anyone suggest best Sentora alternative | servermaster | 1 | 1 ,330 |
12-22-2023, 10:41 AM Last Post: TGates |
|
Sentora 2.0 Beta | Ron-e | 6 | 14 ,545 |
01-01-2022, 11:56 AM Last Post: TGates |
|
Can not access Sentora | ThomasMoss | 4 | 8 ,159 |
01-01-2022, 10:41 AM Last Post: TGates |
Users browsing this thread: 2 Guest(s)