This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora Reloaded
#21
RE: Sentora Reloaded
(09-02-2015, 04:39 AM)MarkDark Wrote: Hi!
I would like to know more
1. Which operating systems will support your project
2. Whether it is free or you intend to make it pay?
3. Why name of present Sentora? This is an independent project?....

Meh... Cool Rolleyes
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#22
RE: Sentora Reloaded
(04-02-2015, 12:08 AM)KwiceroLTD Wrote:
(04-01-2015, 10:47 PM)Me.B Wrote: He doesn't care about teamwork.

M B

Pretty bold comment there, I work in teams just fine, I lead a team of developers already for projects my company operates.

I haven't seen one of you who claim "security is a priority" or anything offer to help me re-write the train wreck.

See my post here: http://forums.sentora.org/showthread.php...7#pid12447:
Quote:RE: Sentora - General Security Warning ? 5 minutes ago
A little history of security in ZPanel and Sentora:

ZPanel 5

When someone used PHP to reset my windows administrator password back in ZPanel 5 I added the use of php suhosin extension to blacklist exec and popen etc commands. This has been implemented at the virtual host level to stop any domains / subdomains using PHP to run commands on the system. The team then implemented the same restrictions on the cronjobs when this was highlighted.

A ZPanel forum member managed to browser the entire contents of my windows server back in ZPanel 5 and left me a text file in the D drive (not somewhere normally accessible through ZPanel). After this I implemented the openbase directory restrictions inside the virtual host settings to stop users of my free hosting service from accessing parts of the system they weren't supposed to. This restriction remains in place today to stop users using PHP to browser other parts of the system.


ZPanel 6

I made sure the above implementations were transferred across and helped with php suhosin on linux.

ZPanel 10.0.0

I introduced the use of PDO and binded variables (base code and example implementation in a module or two). The Sentora team including Bobby and Sam then rewrote the entire application to use the new PDO base class and bound all variables around all the modules and core. If there has been any missed code please report asap to a developer. We can then investigate and make sure to fix active code or remove inactive sections. (https://github.com/zpanel/zpanelx/commit...ad4fc7a5ae, https://github.com/zpanel/zpanelx/commit...985e365aee)

So a shout out to KwiceroLTD - if you find any more sqli issue please let us know!

This was a huge task for the development team and made the overall security of this control panel 100 times better. Also Bobby and Sam both implemented CSRF protection right the way across the application and all modules.

Sentora 1.0.0:

The protected directories module i recently completely rewrote to not use exec any more and eliminated several vulnerabilities, when time allows i'm hoping to continue rewriting each module to be more secure and add additional sanity checks. (https://github.com/zVPS/zvps-zpanelcp-htpasswd)

zsudo ... yes we know about it, has anyone sent a valid pull request to help us out? If so please point me to it. The team are working on a fix for this, most likely it will involve only allowing access to certain commands such as service reloads.

The file permissions do need fixing up, something we will review with an updater.

<hr>

The point of this post really is to say the only aspect of this control panel i have really worked on throughout it's history is the security of the panel:

Postfix default credentials - https://github.com/zpanel/zpanelx/commit...7c7b1d4595
Cronjob blacklist fixed - https://github.com/zpanel/zpanelx/commit...ee937edb4a
System command bind - https://github.com/zpanel/zpanelx/commit...b66501a6a1
Removal of protected directories - https://github.com/zpanel/zpanelx/commit...24be4563cb
Fixed sql query  to use binds - https://github.com/zpanel/zpanelx/commit...730e0ccd8f
Apache reload command - https://github.com/zpanel/zpanelx/commit...f29b0d211d
Implementation of standard class for running commands - https://github.com/zpanel/zpanelx/commit...aacd046cf2
Bind recursion - https://github.com/zpanel/zpanelx/commit...734fca76d1

So please help to secure the panel rather than just bashing the developers, we are actively accepting pull requests, however make sure to keep them small and to target one particular issue at a time. This way they are likely to be accepted quickly without any major reworks of active development.

I haven't been the most active team member over the years, however i do have a proven passion for security. 

Also i would advise your time would be much better spent on improving the current project's code rather than privately developing another solution. You would then directly be benefiting the current user base / community members and help us all rather than dividing the community.
Just my opinion, however feel free to fork the project or develop a completely new project Smile
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Can anyone suggest best Sentora alternative servermaster 1 859 12-22-2023, 10:41 AM
Last Post: TGates
Sentora 2.0 Beta Ron-e 6 13 ,317 01-01-2022, 11:56 AM
Last Post: TGates
Can not access Sentora ThomasMoss 4 7 ,224 01-01-2022, 10:41 AM
Last Post: TGates

Forum Jump:


Users browsing this thread: 2 Guest(s)