Forum

ahsan · 07-15-2015, 12:03 AM

(07-14-2015, 11:53 PM)Ron- Wrote: e

(07-14-2015, 11:37 PM)ahsan Wrote: All
[quote pid='11243' dateline='1436881037']
the websites on the server are run under apache user. And if any account of the user is compromised, The attacker can gain access to all the websites and users on the sentora.
All you need is a back-connect script. And you can change files of any website in any directory or any user.

isn't this protected/locked in by suhosin?
[/quote]

Well, it has suhosin installed. But that is a PHP extension, right? I can see that in phpinfo.
But the problem is not about PHP extensions. It's about file permissions. Hosting accounts are poorly managed.

apinto · 07-15-2015, 12:12 AM

(07-14-2015, 11:37 PM)ahsan Wrote: @[apinto]
Let alone the user panel bugs there are numerous bugs regarding to Server security and user privacy.
I was just testing my Sentora server and I'm really, really disheartened right now.
All the websites on the server are run under apache user. And if any account of the user is compromised, The attacker can gain access to all the websites and users on the sentora.
All you need is a back-connect script. And you can change files of any website in any directory or any user.

ahsan can you let me know of a viable way to gain access to any directory by having a single user credentials?

ahsan · 07-15-2015, 12:13 AM

(07-14-2015, 09:49 PM)Dave Wrote:
(07-14-2015, 09:22 PM)ahsan Wrote: There exist some very dangerous bugs in the Sentora as well. A user can compromise domains of other users and all. I have sent a private message to TGates and Me.B about the issue.
No response yet.

Is this in the FTP client (File Manager) at the bottom of your control panel your talking about?

Can you shed some more light on this….?

apinto · 07-15-2015, 12:32 AM

(07-15-2015, 12:13 AM)ahsan Wrote:
(07-14-2015, 09:49 PM)Dave Wrote:
(07-14-2015, 09:22 PM)ahsan Wrote: There exist some very dangerous bugs in the Sentora as well. A user can compromise domains of other users and all. I have sent a private message to TGates and Me.B about the issue.
No response yet.

Is this in the FTP client (File Manager) at the bottom of your control panel your talking about?

Can you shed some more light on this….?

I see your point. But this is exactly the same issue I talked with you earlier, it has nothing to do with the apache user.

ahsan · (This post was last modified: 07-15-2015, 01:23 AM by ahsan.)

There is some problem with forum replies. My reply was totally removed and it just posted my quoted replies.
I'm uploading video POC.

ahsan · 07-15-2015, 01:37 AM

Please check this post
http://forums.sentora.org/showthread.php?tid=1766

apinto · 07-15-2015, 02:29 AM

Why do you have HostExplorer installed?

Possibly Related Threads…
Thread	Author	Replies	Views	Last Post
Security update dicussion	Eulogy	1	6 ,417	05-29-2017, 04:58 PM Last Post: Me.B