This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora Poorly managed hosting accounts
#1
Sentora Poorly managed hosting accounts
Hello,
Today I replied in this thread about some security issues of sentora. 
And In this post, I'll give POC.
How easy it is to exploit Sentora Hosting accounts. 
This should be considered as a friendly 'exploitation'. 
Sentora need to improve security of their hosting accounts. 
Here is the video link 
http://www.dailymotion.com/video/x2xzlqp


@[apinto] check this.
Reply
Thanks given by: apinto
#2
RE: Sentora Poorly managed hosting accounts
ahsan, how did you installed the Terminal Emulator (HostExplore)?
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#3
RE: Sentora Poorly managed hosting accounts
(07-15-2015, 02:36 AM)apinto Wrote: @[ahsan], how did you installed the Terminal Emulator (HostExplore)?

That is just a perl script. I bypassed security measurments with custom htaccess handlers.
Reply
Thanks given by:
#4
RE: Sentora Poorly managed hosting accounts
I thought perl wasn't part off Sentora..
And if i remember it good it was removed already for security reasons a long time ago.

My Sentora DemoMy GithubAuxio Github
Zentora themeS-Type themeCstyleX theme
flat-color-iconssmall-n-flat-icons

Sentora's development takes way too long, so i'm transitioning to HestiaCP.
Reply
Thanks given by:
#5
RE: Sentora Poorly managed hosting accounts
(07-15-2015, 02:46 AM)Ron- Wrote: eI thought perl wasn't part off Sentora..
And if i remember it good it was removed already for security reasons a long time ago.

But this is not about perl mate. This is about the Hosting management. 
Suppose you and I are on the same server using Sentora. And I get hacked. And the hacker on my account use the same techniques that I used in the video. 
There are other ways to do back connect other than perl. c , python, PHP and the list goes on.
Reply
Thanks given by:
#6
RE: Sentora Poorly managed hosting accounts
So if you have no pearl installed on sentora this is not possible right Exclamation Exclamation  Huh
JUST SAW THE POST ABOVE Huh

SOLUTIONS!!!!
Reply
Thanks given by:
#7
RE: Sentora Poorly managed hosting accounts
If you don't have installed perl installed. You cannot use this way. But You have PHP installed (ofcourse you have). And There are too many scripts out there which will do the job for you :/
Reply
Thanks given by:
#8
RE: Sentora Poorly managed hosting accounts
Me.B 5050 motters kandrews ballen
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#9
RE: Sentora Poorly managed hosting accounts
ahsan the issue you posted is a real one, however it was already said by the Sentora Dev team that Pearl is NOT supported due to this issue.

You have a house with a locked door... you open a huge hole in the wall and complain about security... I guess this was why Me.B did not reply to you.

Sentora does NOT use system accounts, it uses a single apache account.

If you want to make a POC (Prove of Concept) please do it on a clean sentora default install.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#10
RE: Sentora Poorly managed hosting accounts
(07-15-2015, 02:51 AM)ahsan Wrote: There are other ways to do back connect other than perl. c , python, PHP and the list goes on.

I get your point, Sentora version 2/major update will work in a different way.
If i remember it good each user gets a own user, like some other control panels are using.
If that's what you are talking about that is already known and spoken off multiple times.
but for the time being all of them are not installed in the default setup except php which is protected/locked in by suhosin.

My Sentora DemoMy GithubAuxio Github
Zentora themeS-Type themeCstyleX theme
flat-color-iconssmall-n-flat-icons

Sentora's development takes way too long, so i'm transitioning to HestiaCP.
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Update redirect to Sentora login to an error page if a sub domain does not exist TGates 2 3 ,355 9 hours ago
Last Post: Me.B
Need Sentora HELP ? Alemiz 4 12 ,841 10-26-2018, 04:09 PM
Last Post: republicus
Sentora Feedback and Ideas Xversion 10 32 ,534 10-28-2017, 06:49 AM
Last Post: TGates

Forum Jump:


Users browsing this thread: 1 Guest(s)