This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora Poorly managed hosting accounts
#11
RE: Sentora Poorly managed hosting accounts
apinto you're not getting the point here bro.
Don't use perl. Use a PHP Script. It'll do the job for you. Read my replies above your post. I did nothing. Just uploaded the script and an .htaccess file.
An attacker would do that.
P.S You have to secure your system from attackers, not by yourself.
Reply
Thanks given by:
#12
RE: Sentora Poorly managed hosting accounts
ahsan ( got the PM this morning so now checking and replying).

1. Perl/CGI are not supported and are totally unsecure for use under sentora.
Anything that would require Perl/CGI here won't work as we never install such packages or deploy the config to support them. We even disable all the related modules in apache.

2. SSH access is never provided for any user. We don't support it and don't think we will plan even if we jail each user.

See here:

http://forums.sentora.org/showthread.php?tid=1333

On first 1.0 release we left CGI ( enabled by default ) on centos 6 while on centos 7 and ubuntu 12/14 it's disabled by default. So you can't run any CGI script.

So what root kit you used here? I will be happy to test over this again.

Seem your exploit worked on centos 6.5? Did you test centos 7 install? Which installer did you use exactly? Feel free to PM me the infos if you can too.

What I see is directory traversal using CGI. We mainly disabled CGI so you can't in anyway set a symbolic link for other directories as CGI is not correctly sandboxed in previous releases. This is why we issued a patch that was merged into the installer that will remove all CGI modules from centos 6.5.
M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#13
RE: Sentora Poorly managed hosting accounts
(07-15-2015, 03:30 AM)Me.B Wrote: @[ahsan] ( got the PM this morning so now checking and replying).

1. Perl/CGI are not supported and are totally unsecure for use under sentora.
Anything that would require Perl/CGI here won't work as we never install such packages or deploy the config to support them. We even disable all the related modules in apache.

2. SSH access is never provided for any user. We don't support it and don't think we will plan even if we jail each user.

See here:

http://forums.sentora.org/showthread.php?tid=1333

On first 1.0 release we left CGI ( enabled by default ) on centos 6 while on centos 7 and ubuntu 12/14 it's disabled by default. So you can't run any CGI script.

So what root kit you used here? I will be happy to test over this again.

Seem your exploit worked on centos 6.5? Did you test centos 7 install? Which installer did you use exactly? Feel free to PM me the infos if you can too.

What I see is directory traversal using CGI. We mainly disabled CGI so you can't in anyway set a symbolic link for other directories as CGI is not correctly sandboxed in previous releases. This is why we issued a patch that was merged into the installer that will remove all CGI modules from centos 6.5.
M B

Check your PM please
Reply
Thanks given by:
#14
RE: Sentora Poorly managed hosting accounts
Got it and replied thanks
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#15
RE: Sentora Poorly managed hosting accounts
Fixed https://github.com/sentora/sentora-core/issues/189
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by: TGates
#16
RE: Sentora Poorly managed hosting accounts
ok good I need to validate my other side too.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#17
RE: Sentora Poorly managed hosting accounts
Is this how ahsan was able to do the hack in the video because of this module?
I have disabled it in the Admin Module to all users including Admin will that be safe?
I am running AWServer+ZepanelX on windows 7.
Reply
Thanks given by:
#18
RE: Sentora Poorly managed hosting accounts
(07-16-2015, 02:50 AM)Dave Wrote: Is this how ahsan was able to do the hack in the video because of this module?
I have disabled it in the Admin Module to all users including Admin will that be safe?
I am running AWServer+ZepanelX on windows 7.

ahsan was able to hack using a installed perl script (that is disabled by default on sentora, so unless you enabled perl by yourself that hack will not have any effect on your case.

That said, disabling FTP Module was a wise move for now, but the issue was already fixed and a patch should be released very soon.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:
#19
RE: Sentora Poorly managed hosting accounts
(07-16-2015, 04:45 AM)apinto Wrote: ahsan was able to hack using a installed perl script (that is disabled by default on sentora, so unless you enabled perl by yourself that hack will not have any effect on your case.

The windows version from MarkDark (AWServer) has PERL installed (see link and/or quote below), so windows users are possible vulnerable for this hack.

(06-19-2015, 12:57 AM)MarkDark Wrote: As a basic platform for the server, the following components:

Apache v2.2.29
PHP v5.5.26 + PEAR
MySQL v5.5.43
Perl v5.16.3
ImageMagick v6.9.0
FileZilla v0.9.49
hMailServer v5.4.2-B1964
nnCronLie v1.17
BIND v9.9.7
Sendmail for Win v1.0
Webalizer v2.23-04 + GeoIP
nnBackup v3.01

My Sentora DemoMy GithubAuxio Github
Zentora themeS-Type themeCstyleX theme
flat-color-iconssmall-n-flat-icons

Sentora's development takes way too long, so i'm transitioning to HestiaCP.
Reply
Thanks given by: TGates
#20
RE: Sentora Poorly managed hosting accounts
(07-16-2015, 05:55 AM)Ron-e Wrote:
(07-16-2015, 04:45 AM)apinto Wrote: ahsan was able to hack using a installed perl script (that is disabled by default on sentora, so unless you enabled perl by yourself that hack will not have any effect on your case.

The windows version from MarkDark (AWServer) has PERL installed (see link and/or quote below), so windows users are possible vulnerable for this hack.

(06-19-2015, 12:57 AM)MarkDark Wrote: As a basic platform for the server, the following components:

Apache v2.2.29
PHP v5.5.26 + PEAR
MySQL v5.5.43
Perl v5.16.3
ImageMagick v6.9.0
FileZilla v0.9.49
hMailServer v5.4.2-B1964
nnCronLie v1.17
BIND v9.9.7
Sendmail for Win v1.0
Webalizer v2.23-04 + GeoIP
nnBackup v3.01

Thats right Ron-e there is Perl v5.16.3 on AWServer on windows. If MarkDark can reply on its security issue?

For the time being i took the folder Perl out of the AWServer folder on Windows 7 so there is no Perl present (the folder at least) i dont now if security wise that be a fast fix for now.
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Update redirect to Sentora login to an error page if a sub domain does not exist TGates 0 2 ,112 01-28-2024, 06:20 AM
Last Post: TGates
Need Sentora HELP ? Alemiz 4 11 ,993 10-26-2018, 04:09 PM
Last Post: republicus
Sentora Feedback and Ideas Xversion 10 30 ,383 10-28-2017, 06:49 AM
Last Post: TGates

Forum Jump:


Users browsing this thread: 2 Guest(s)