Sentora - General Security Warning ?

[trojanspike]

I'm willing to take some of the stress Bobby - delegate a little?

[KwiceroLTD]

With regards to the above post and the 'issues' with the inline variables - that was originally intended to automatically update the DB schema based on class properties etc. called from ZPPY during system upgrades of ZPanel - Like in an active record style system, this can be removed now as it's never called and the fact that that inline variables are not bound was obviously missed from when Kevin implemented the PDO and prepared statements but is irrelevant anyway given that the code is never executed and the class is now deprecated.

I've got better things to do with my time than get involved in this thread as there have been so many like it in the past - most normal people report the issue to the issue tracker and we get it fixed as soon as we can (the MySQL vulnerability) but thanks for the personal attacks - I really appreciate it! - I'm not sure how you come to the conclusion that I clearly don't have any consideration for security!!!! - The code base is very old, I've learn't new things since I originally wrote most of it and was I even responsible for that code.... hmmmm?? https://github.com/sentora/sentora-core/...users/code

Anyway, I'm not wasting anymore of my time here but I've been working on a new version of Sentora that resolves many of the current security concerns and in the past when we hear of vulnerabilities we get them patched ASAP - What some don't realise is that ZPanel/Sentora was originally for Windows only thus not originally designed for Linux permissions etc. the 777 permissions mixed with virtual users and jailing FTP accounts, PHP security hardening was used as a "compromise" - I'm not saying that it's a good idea but the community wanted Linux support so we tried to get it to work with how the panel was currently setup to work whilst still maintaining Windows Support.

Now we've stopped supporting Windows, I've been busy behind the scenes working on a new version that actually implements the *correct* security model for a *NIX only based control panel as we no longer plan to support Windows as a direct decision on security - I've been keeping this development away from the public as it just drains my personal resources when having to reply to various requests, emails etc.etc. so although the current security model is NOT ideal - Yes 777 is BAD but if the server is correctly patched, and no system users exist minus a correctly secured 'root' account as we've always recommended on these forums then seriously for now (until the next version which I'm nearly done on) just how bad is that? - I'm serious, I'd like to know as from my view (as a developer - not a systems administration) I believe we've covered the bases until we've released the next version (actually developed specifically for *NIX).


Maybe it's time for someone else to use so much of their own personal time, ignoring their family and write a panel to replace the current one then, these personal attacks just depress me, get me down and ultimately make me question why I even try to improve a product that I've already spent so many hours on previously and only ever have good intention on...

I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code.

[Active8]

I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code.

[ballen]

I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code.

I'd like to see that... You're not the first to have said something along those line and guess what... two years later we're still waiting!!

Ultimately people need to start putting their money where the mouth is.... everyone around here seem to have the "solutions" but no one seems to implement them or take responsibility when they believe that they have the ultimate security implementation when in reality... yeah! - Even members of the existing team, Me.B and 5050 for example both have good ideas but are they implemented yet? - I fully understand that this version of Sentora needs a complete rewrite, it was never designed to work as a *NIX panel initially... the panel code (web teir) could use some massive improvements from a software development point of view and therefore that is why I have been writing a new version, of which benefits from unit testing, properly designed template engines and various other things that previously does not exist in Sentora but anyway some of the team members beleive that we don't need a new verison and simply cementing over the cracks in the existing version will do.... Personally I don't but hey, who am I anymore!

This project is open source - people should make complete (properly tested) pull requests and help fix the issues or, rightly so and as I've previously stated above... write a new version that is actually designed to work on *NIX rather than a hack-up of the original version designed for MS Windows to work with *NIX as I've posted in my post above.

Anyway, I've had enough of all of this shit, I have absolutely no problem is writing secure code, and yeah sometimes people make mistakes but you learn from them.... and it pisses me off to think that people are "mad at me" to think that I've only ever done what I believe was right and yeah ok, it may be my misunderstanding of all components (Linux security but yeah someone has still to explain to me why with the absence of system accounts the 777 is so bad given that we've already raised this as an issue and recommend against it as an interim solution??!!!) 

This is an open-source project - people should be helping rather than just slating the project and me in general.

I suggest that the remaining team members push their ideas and take this project to higher places... I'm personally out now, I've had enough and I'm sure that in the mean time all you haters will be like "yeah great, the security n00b has gone" but hey, lets see what happens next!

I wish you all the best with the project and honestly hope that you can find the time and determination that I no longer have to turn it into something much better.

[KwiceroLTD]

I'm willing to do a full code re-write for you, it'll take me a bit, on the guarantee it won't be converted back to shit-vulnerable code.

I'd like to see that... You're not the first to have said something along those line and guess what... two years later we're still waiting!!

Ultimately people need to start putting their money where the mouth is.... everyone around here seem to have the "solutions" but no one seems to implement them or take responsibility when they believe that they have the ultimate security implementation when in reality... yeah! - Even members of the existing team, Me.B and 5050 for example both have good ideas but are they implemented yet? - I fully understand that this version of Sentora needs a complete rewrite, it was never designed to work as a *NIX panel initially... the panel code (web teir) could use some massive improvements from a software development point of view and therefore that is why I have been writing a new version, of which benefits from unit testing, properly designed template engines and various other things that previously does not exist in Sentora but anyway some of the team members beleive that we don't need a new verison and simply cementing over the cracks in the existing version will do.... Personally I don't but hey, who am I anymore!

This project is open source - people should make complete (properly tested) pull requests and help fix the issues or, rightly so and as I've previously stated above... write a new version that is actually designed to work on *NIX rather than a hack-up of the original version designed for MS Windows to work with *NIX as I've posted in my post above.

Anyway, I've had enough of all of this shit, I have absolutely no problem is writing secure code, and yeah sometimes people make mistakes but you learn from them.... and it pisses me off to think that people are "mad at me" to think that I've only ever done what I believe was right and yeah ok, it may be my misunderstanding of all components (Linux security but yeah someone has still to explain to me why with the absence of system accounts the 777 is so bad given that we've already raised this as an issue and recommend against it as an interim solution??!!!) 

This is an open-source project - people should be helping rather than just slating the project and me in general.

I suggest that the remaining team members push their ideas and take this project to higher places... I'm personally out now, I've had enough and I'm sure that in the mean time all you haters will be like "yeah great, the security n00b has gone" but hey, lets see what happens next!

I wish you all the best with the project and honestly hope that you can find the time and determination that I no longer have to turn it into something much better.

I already told you I'd do a rewrite on the condition it isn't turned into vulnerable code again, if that's what you want I'll do it. If any developers want to join me they can, but it'll be a complete, 100% rewrite of the code and design - no original ZPanel/Sentora code will be used. Proper security practices will be put in place, and I'll pay to have it audited (out of my own personal funds) upon completion by security firms.

[ballen]

How could it possibly fall back into "vulnerable code again" when I've just given my resignation from the project to the rest of the team - As you've seem to imply as with the other "security people", I'm clearly the problem here (and as such, no more the problem).

Good luck!

[KwiceroLTD]

How could it possibly fall back into "vulnerable code again" when I've just given my resignation from the project to the rest of the team - As you've seem to imply as with the other "security people", I'm clearly the problem here (and as such, no more the problem).

Good luck!

I never stated you were the problem, I stated the code was the problem, the fact you ported it from ZPanel which was already vulnerable, was the problem.

[Ron-e]

I'm personally out now, I've had enough and I'm sure that in the mean time all you haters will be like "yeah great, the security n00b has gone" but hey, lets see what happens next!

I am really sad to read this, there are lots of people (including me) who very much appreciate you for all you have done for Zpanel and Sentora.
But i can see that all the people who only give bad comments about it eat up all your enthusiasm for this project.
Hope it's not for ever and we will see you back soon!

[steva]

Sentora is GREAT project.
This is my first post on this forum.

I'm still at the stage of research and testing free panels for services provided by my company , and Sentora is definitely a choice we make .
When it comes to the average end user , in a market there is a simple and efficient tool .
Even before he started the discussion about security vulnerabilities, it was weird to just what is the subject of discussion , just like the backup file that is in .zip format , which , as is well known not recorded linux settings for files and folders.
I hope that the concerned problem is overcome by hard correcting code, you have all my support , Sentora project must continue to live !

And finally, a question for the gurus linux security :
is there a way to overcome the current security problem at the moment, until the release of a new version Sentora .
For example, if on VM i close the SSH access , or ............. something?

[Me.B]

Sentora is GREAT project.
This is my first post on this forum.

I'm still at the stage of research and testing free panels for services provided by my company , and Sentora is definitely a choice we make .
When it comes to the average end user , in a market there is a simple and efficient tool .
Even before he started the discussion about security vulnerabilities, it was weird to just what is the subject of discussion , just like the backup file that is in .zip format , which , as is well known not recorded linux settings for files and folders.
I hope that the concerned problem is overcome by hard correcting code, you have all my support , Sentora project must continue to live !

And finally, a question for the gurus linux security :
is there a way to overcome the current security problem at the moment, until the release of a new version Sentora .
For example, if on VM i close the SSH access , or ............. something?

There is ways and we are currently working on it. I will announce a patch for centos 6.x that fix a mis-configuration already as CGI remain activated. Zsudo is getting removed too.

We are doing our best and all feedback is welcome with due respect to all dev team and energy we put in this project.