Posts: 4 ,006
Threads: 193
Joined: Jul 2014
Reputation:
83
Sex: Undisclosed
Thanks: 73
Given 435 thank(s) in 395 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 05:31 AM
(03-20-2015, 05:16 AM)KwiceroLTD Wrote: (03-20-2015, 05:10 AM)Me.B Wrote: (03-20-2015, 05:00 AM)KwiceroLTD Wrote: Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.
Not so true. We can fix all the issues that were raised over permissions/CGI/Zsudo in easy way. This had been discussed in internal section and lined up plans/solutions.
It's easy to start a new project for some than fixing the existing. I don't believe that. For many reasons:
1. When you write a new panel you might make the same pitfalls same as before even if it's a different developer. You will use the same permissions, way of coding.
2. What to say to all zpanel users? Or current sentora users? Hey guys you know what panel can't be fixed run away and use another panel? No sorry it can be fixed and we will fix it despite all the bad press we could get.
Security might not be perfect but with feedback (I've been calling for feedback since month's in low end and all I got is bashing and now one able to make a serious review!).
M B
As stated over at LET by a member, Sentora had a chance to change and get rid of bad ZPanel reputation, and instead got it all back again.
I can't show it here but most of the raised issues were in the pipe already for sentora 1.1, we need time to rewrite apache module. We are doing it on our free time for free. It's not so easy to maintain, helping users, building new updater for zpanel users, working on email stack, testing. Require a lot of time and we should do it on our spare time.
Posts: 50
Threads: 5
Joined: Oct 2014
Reputation:
0
Sex: Undisclosed
Thanks: 1
Given 10 thank(s) in 9 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 08:49 PM
(This post was last modified: 03-20-2015, 08:54 PM by Active8.)
Im following this via LET , WHT and here and i see really progress in this
Like KwiceroLTD said: now is a chance to get rid of the negative image this panel has/have because its Zpanel past
I see now there is a difference in the attidute of most of people, they are now willing to help instead of just saying " Zpanel/Sentrora sucks ! "
I see really progress, please keep it that way
I m using different panels for my servers like Direct Admin, Interworxs and CWP and some of my VPS uses Sentora and i must say Sentora is the one im really want to use, sure most of the panels like CWP have really lot of features but i like the simplycity of Sentora ! (sidenote , please use 5.4.x and MySQL 5.5.x as default install get rid of the 5.3 branche)
Posts: 4 ,006
Threads: 193
Joined: Jul 2014
Reputation:
83
Sex: Undisclosed
Thanks: 73
Given 435 thank(s) in 395 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 09:36 PM
(03-20-2015, 08:49 PM)Active8 Wrote: Im following this via LET , WHT and here and i see really progress in this
Like KwiceroLTD said: now is a chance to get rid of the negative image this panel has/have because its Zpanel past
I see now there is a difference in the attidute of most of people, they are now willing to help instead of just saying " Zpanel/Sentrora sucks ! "
I see really progress, please keep it that way
I m using different panels for my servers like Direct Admin, Interworxs and CWP and some of my VPS uses Sentora and i must say Sentora is the one im really want to use, sure most of the panels like CWP have really lot of features but i like the simplycity of Sentora ! (sidenote , please use 5.4.x and MySQL 5.5.x as default install get rid of the 5.3 branche)
Thanks and you are welcome. for PHP 5.4 you can already use it in centos 7 or 5.5 in Ubuntu 14. Currently we do our best to improve core but we "may" offer a clean solution for compiling different php versions and picking the one that fits your needs.
M B
Posts: 14
Threads: 1
Joined: Mar 2015
Reputation:
1
Thanks: 3
Given 0 thank(s) in 0 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 10:51 PM
Regardless, I think it's time you all sit down, do a complete re-write the secure way, otherwise you'll drag the bad rep of zPanel with you. If you announce that you've done a 100% complete re-write and fixed a ton of things, you'll drag peoples attention and they'll want to test and see if it was indeed fixed properly. If it was, you'll get rid of the bad zPanel history, and take on a new reputation.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
Posts: 4 ,006
Threads: 193
Joined: Jul 2014
Reputation:
83
Sex: Undisclosed
Thanks: 73
Given 435 thank(s) in 395 post(s)
RE: Sentora - General Security Warning ?
03-20-2015, 11:04 PM
(03-20-2015, 10:51 PM)KwiceroLTD Wrote: Regardless, I think it's time you all sit down, do a complete re-write the secure way, otherwise you'll drag the bad rep of zPanel with you. If you announce that you've done a 100% complete re-write and fixed a ton of things, you'll drag peoples attention and they'll want to test and see if it was indeed fixed properly. If it was, you'll get rid of the bad zPanel history, and take on a new reputation.
Sorry to bring it back but All the points already discussed don't require a 100% rewrite. Beside there is a sentora 2.0 still in dev built from scratch.
We are already working on some tweaks and would add more soon.
And we should provide real solution for all those running sentora in production/live servers. We care about that. Full rewrite will require more time and we will study each point, notice we have a roadmap/features plan that already had 99% of the point that were raised and we are evaluating the best options.
The most important is offering fixes and solutions in an effective way.
M B
Posts: 525
Threads: 23
Joined: Mar 2015
Reputation:
26
Sex: Male
Thanks: 139
Given 104 thank(s) in 87 post(s)
RE: Sentora - General Security Warning ?
03-21-2015, 12:48 AM
If Sentora had not forked zPanel, at this day you wouldn't even have a Beta release of Sentora, let aside a stable release.
Even, if the new code would be im many ways better, the flaws would still be there and would not have the extensive testing zPanel had.
Now, I do agree that it would be good to have a remade Sentora 2.0, however things take time and let's not give a step bigger than our own legs (crotch over-extension really hurts...).
I'm not saying there are NO security flaws, I'm not a security expert (not even close) but I know how to manage a project, and from what I can tell Sentora is doing the project management in a very good way, trust them, I do.
Back on topic, and speaking from a marketing/management point of view, I believe Sentora 1.1 or 1.2 should be focused on security. Regardless of how many, how little and unimportant Sentora flaws may be for the public it would be a great way to arrive and say with confidence: We are a Secure Panel. Period. Cut for once the roots that link Sentora to zPanel security flaws.
But Me.B you are completly right when you say:
"The most important is offering fixes and solutions in an effective way." (Me.B)
Keep up the good work.
Posts: 3 ,665
Threads: 241
Joined: May 2014
Reputation:
85
Sex: Male
Thanks: 408
Given 600 thank(s) in 465 post(s)
RE: Sentora - General Security Warning ?
03-21-2015, 02:24 AM
(03-20-2015, 04:14 AM)KwiceroLTD Wrote: (03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!
EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL
I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code: $sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");
Just a prime example, a safer practice would be:
Code: $sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));
Therefore removing the possibility of SQL injection.
As a note on this one, the devs did go through the panel and convert to PDO bound parameters, ones like these must have just been an oversite. Thanks for notifying us. This is the feedback we need.
-TGates - Project Council
SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE
Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Posts: 87
Threads: 1
Joined: Jul 2014
Reputation:
0
Sex: Undisclosed
Thanks: 0
Given 6 thank(s) in 6 post(s)
RE: Sentora - General Security Warning ?
03-21-2015, 05:23 AM
I've not really been that active due to life. But the a aim of Sentora was to get a stable and secure version of ZPanelX. Obviously we're still fire fighting this atm, I've only just heard of these security issue today! I'm emailing Ballen now about these issue and will get back with you all as soon as we have a plan.
You have to remember ZpanelX was never design as a commercial panel. It was designed to be a hobbies / personal panel. With a simple architecture that people can play with and modify. I mean when the community was told the PHP was going to be OOP based, there was a massive up roar about it being too complicated and to advanced.
The main aim of Sentora however is to rewrite the panel from the ground up for a more commercial and modular environment. This time ignoring any uproar of it being "too complicated" as its obviously bit us in the arse on ZPanelX.
Posts: 504
Threads: 70
Joined: Jul 2014
Reputation:
12
Sex: Undisclosed
Thanks: 2
Given 107 thank(s) in 78 post(s)
RE: Sentora - General Security Warning ?
03-21-2015, 06:28 AM
(03-20-2015, 04:14 AM)KwiceroLTD Wrote: [...]
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code: $sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");
[...]
I agree it can better written, but .... the real question is : " are $database, $table and $insert reachable from an user ? "
The response is no : they are even not reachable at all !!!!
This code is extracted from the class db_builder. If you look a bit better with good search tool, you will see that this class is NEVER called !
I do not know from where (or from when) it comes, but it is an outdated class that can be removed. More, from its content, I discovers that it was intended to read and build a database from an XML file.
-> I am pretty sure that it was NEVER callable from the internet side, and I suppose strongly that it was a tool intended to be used from zppy or something like it (module setup ?).
So, please do not worry about this file or any of its (bad) content !
Posts: 274
Threads: 20
Joined: May 2014
Reputation:
12
Sex: Male
Thanks: 11
Given 67 thank(s) in 39 post(s)
RE: Sentora - General Security Warning ?
03-22-2015, 12:08 AM
(This post was last modified: 03-22-2015, 12:19 AM by ballen.)
With regards to the above post and the 'issues' with the inline variables - that was originally intended to automatically update the DB schema based on class properties etc. called from ZPPY during system upgrades of ZPanel - Like in an active record style system, this can be removed now as it's never called and the fact that that inline variables are not bound was obviously missed from when Kevin implemented the PDO and prepared statements but is irrelevant anyway given that the code is never executed and the class is now deprecated.
I've got better things to do with my time than get involved in this thread as there have been so many like it in the past - most normal people report the issue to the issue tracker and we get it fixed as soon as we can (the MySQL vulnerability) but thanks for the personal attacks - I really appreciate it! - I'm not sure how you come to the conclusion that I clearly don't have any consideration for security!!!! - The code base is very old, I've learn't new things since I originally wrote most of it and was I even responsible for that code.... hmmmm?? https://github.com/sentora/sentora-core/...users/code
Anyway, I'm not wasting anymore of my time here but I've been working on a new version of Sentora that resolves many of the current security concerns and in the past when we hear of vulnerabilities we get them patched ASAP - What some don't realise is that ZPanel/Sentora was originally for Windows only thus not originally designed for Linux permissions etc. the 777 permissions mixed with virtual users and jailing FTP accounts, PHP security hardening was used as a "compromise" - I'm not saying that it's a good idea but the community wanted Linux support so we tried to get it to work with how the panel was currently setup to work whilst still maintaining Windows Support.
Now we've stopped supporting Windows, I've been busy behind the scenes working on a new version that actually implements the *correct* security model for a *NIX only based control panel as we no longer plan to support Windows as a direct decision on security - I've been keeping this development away from the public as it just drains my personal resources when having to reply to various requests, emails etc.etc. so although the current security model is NOT ideal - Yes 777 is BAD but if the server is correctly patched, and no system users exist minus a correctly secured 'root' account as we've always recommended on these forums then seriously for now (until the next version which I'm nearly done on) just how bad is that? - I'm serious, I'd like to know as from my view (as a developer - not a systems administration) I believe we've covered the bases until we've released the next version (actually developed specifically for *NIX).
Maybe it's time for someone else to use so much of their own personal time, ignoring their family and write a panel to replace the current one then, these personal attacks just depress me, get me down and ultimately make me question why I even try to improve a product that I've already spent so many hours on previously and only ever have good intention on...
|