This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Security
#11
RE: Security
(07-14-2015, 11:53 PM)Ron- Wrote: e
(07-14-2015, 11:37 PM)ahsan Wrote: All
[quote pid='11243' dateline='1436881037']
the websites on the server are run under apache user. And if any account of the user is compromised, The attacker can gain access to all the websites and users on the sentora.
All you need is a back-connect script. And you can change files of any website in any directory or any user.
isn't this protected/locked in by suhosin?
[/quote]

Well, it has suhosin installed. But that is a PHP extension, right? I can see that in phpinfo.
But the problem is not about PHP extensions. It's about file permissions. Hosting accounts are poorly managed.
Reply
Thanks given by:
#12
RE: Security
(07-14-2015, 11:37 PM)ahsan Wrote: @[apinto]
 Let alone the user panel bugs there are numerous bugs regarding to Server security and user privacy.
I was just testing my Sentora server and I'm really, really disheartened right now.
All the websites on the server are run under apache user. And if any account of the user is compromised, The attacker can gain access to all the websites and users on the sentora.
All you need is a back-connect script. And you can change files of any website in any directory or any user.

ahsan can you let me know of a viable way to gain access to any directory by having a single user credentials?
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#13
RE: Security
(07-14-2015, 09:49 PM)Dave Wrote:
(07-14-2015, 09:22 PM)ahsan Wrote: There exist some very dangerous bugs in the Sentora as well. A user can compromise domains of other users and all. I have sent a private message to TGates and Me.B about the issue.
No response yet.

Is this in the FTP client (File Manager) at the bottom of your control panel your talking about?
 
Can you shed some more light on this….?
Reply
Thanks given by: apinto
#14
RE: Security
(07-15-2015, 12:13 AM)ahsan Wrote:
(07-14-2015, 09:49 PM)Dave Wrote:
(07-14-2015, 09:22 PM)ahsan Wrote: There exist some very dangerous bugs in the Sentora as well. A user can compromise domains of other users and all. I have sent a private message to TGates and Me.B about the issue.
No response yet.

Is this in the FTP client (File Manager) at the bottom of your control panel your talking about?
 
Can you shed some more light on this….?

I see your point. But this is exactly the same issue I talked with you earlier, it has nothing to do with the apache user.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#15
RE: Security
There is some problem with forum replies. My reply was totally removed and it just posted my quoted replies.
I'm uploading video POC.
Reply
Thanks given by:
#16
RE: Security
Please check this post
http://forums.sentora.org/showthread.php?tid=1766
Reply
Thanks given by:
#17
RE: Security
Why do you have HostExplorer installed?
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Security update dicussion Eulogy 1 6 ,366 05-29-2017, 04:58 PM
Last Post: Me.B

Forum Jump:


Users browsing this thread: 1 Guest(s)