This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora - General Security Warning ?
#1
Sentora - General Security Warning ?
I saw this tread, it seems that Sentora devolpers already knowing this?

http://www.webhostingtalk.com/showthread.php?p=9399137
Reply
Thanks given by:
#2
RE: Sentora - General Security Warning ?
Thanks for the heads up... I'm trying to reply there and would be happy if they have serious feedback.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#3
RE: Sentora - General Security Warning ?
Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!

EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by: Cantalupo
#4
RE: Sentora - General Security Warning ?
Seriously, these "insecure software" will be around till the end of Sentora time and some years after that.
It's the same as for WordPress, Joomla, WooCommerce, OpenCart etc. If it's free and has good quality theres ALWAYS someone that is afraid to loose money because they can no longer sell their beloved proprietary Software.

From what I've read the Sentora security flaws that everyone talks about are related to bad configs, but who in their plain minded state does setup a Hosting Business on top of a "out of the box" software (either sentora or other one)?

Meh... Try to figure if there is really some real flaw but do never get demotivated because of articles/posts like that, they are a proof of success in my opinion.

Keep up the good work Sentora Team Smile
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#5
RE: Sentora - General Security Warning ?
Thanks for the encouragement apinto Smile
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#6
RE: Sentora - General Security Warning ?
(03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!

EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL

I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code:
$sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");

Just a prime example, a safer practice would be:
Code:
$sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));

Therefore removing the possibility of SQL injection.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
Reply
Thanks given by:
#7
RE: Sentora - General Security Warning ?
(03-20-2015, 04:14 AM)KwiceroLTD Wrote:
(03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!

EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL

I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
Code:
$sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");

Just a prime example, a safer practice would be:
Code:
$sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));

Therefore removing the possibility of SQL injection.

Thanks for the input we care for security and the above statement express only the point of view of TOM. You know we are many trying here our best and we might have different expertise area.

OK I agree SQL injection might be better prevented, I've even gone further and asked we move to stored procedures!
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#8
RE: Sentora - General Security Warning ?
(03-20-2015, 04:53 AM)Me.B Wrote:
(03-20-2015, 04:14 AM)KwiceroLTD Wrote:
(03-19-2015, 07:47 AM)TGates Wrote: Yes, we know there are no know flaws in security right now. They have not shown any proof that the current release has any. If they do find them and post them up, we of course will jump right on it!

EDIT: They provided proof and good examples of the issues. Now we have something to work from then just 'vulnerabilities' LOL

I'm saddened by your immaturity on this matter. Security is very important.
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.

Code:
$sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");

Just a prime example, a safer practice would be:

Code:
$sql = $zdbh->prepare("INSERT INTO ?.? ?");
$sql->execute(array($database, $table_name, $insert));

Therefore removing the possibility of SQL injection.

Thanks for the input we care for security and the above statement express only the point of view of TOM. You know we are many trying here our best and we might have different expertise area.

OK I agree SQL injection might be better prevented, I've even gone further and asked we move to stored procedures!

Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
Reply
Thanks given by:
#9
RE: Sentora - General Security Warning ?
(03-20-2015, 05:00 AM)KwiceroLTD Wrote: Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.

Not so true. We can fix all the issues that were raised over permissions/CGI/Zsudo in easy way. This had been discussed in internal section and lined up plans/solutions.

It's easy to start a new project for some than fixing the existing. I don't believe that. For many reasons:

1. When you write a new panel you might make the same pitfalls same as before even if it's a different developer. You will use the same permissions, way of coding.

2. What to say to all zpanel users? Or current sentora users? Hey guys you know what panel can't be fixed run away and use another panel? No sorry it can be fixed and we will fix it despite all the bad press we could get.

Security might not be perfect but with feedback (I've been calling for feedback since month's in low end and all I got is bashing and now one able to make a serious review!).

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by: modcar
#10
RE: Sentora - General Security Warning ?
(03-20-2015, 05:10 AM)Me.B Wrote:
(03-20-2015, 05:00 AM)KwiceroLTD Wrote: Well, I never said not everyone cared about security, it's clear ballen doesn't care about security.
It's time for Sentora to stop using fork of already vulnerable code, to spend a weekend, and just crack out a completely recoded version, otherwise you're just expanding and in-the-end creating more vulnerabilities rather than patching them.

Not so true. We can fix all the issues that were raised over permissions/CGI/Zsudo in easy way. This had been discussed in internal section and lined up plans/solutions.

It's easy to start a new project for some than fixing the existing. I don't believe that. For many reasons:

1. When you write a new panel you might make the same pitfalls same as before even if it's a different developer. You will use the same permissions, way of coding.

2. What to say to all zpanel users? Or current sentora users? Hey guys you know what panel can't be fixed run away and use another panel? No sorry it can be fixed and we will fix it despite all the bad press we could get.

Security might not be perfect but with feedback (I've been calling for feedback since month's in low end and all I got is bashing and now one able to make a serious review!).

M B

As stated over at LET by a member, Sentora had a chance to change and get rid of bad ZPanel reputation, and instead got it all back again.
My opinions are mine and mine alone. They do not reflect the opinions of my company, staff, and it's affiliates.
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Can anyone suggest best Sentora alternative servermaster 1 465 12-22-2023, 10:41 AM
Last Post: TGates
Sentora 2.0 Beta Ron-e 6 12 ,157 01-01-2022, 11:56 AM
Last Post: TGates
Can not access Sentora ThomasMoss 4 6 ,380 01-01-2022, 10:41 AM
Last Post: TGates

Forum Jump:


Users browsing this thread: 1 Guest(s)