Zpanel security risk (maybe) can execute daemon.php via Web Browser

painfreepc

Zpanel security risk (maybe) can execute daemon.php via Web Browser

just this from http://forums.zpanelcp.com/thread-9884.html
i am sharing it here.

xekhz said:

daemon.php - /etc/zpanel/panel/bin/
I can execute daemon.php located in /etc/zpanel/panel/bin/daemon.php via webBrowser.

http://IPADDRESS/bin/daemon.ph

it disclosures a bunch of information.
Shouldnt exist an .htaccess not permiting file access in /etc/zpanel/panel/bin/ directory

thanks

---

ballen said:

RE: daemon.php - /etc/zpanel/panel/bin/
Yes, absolutely... no quite sure how this got though but I'll get this added to the .htaccess file!

Just for others reading this thread, the information that this discloses is the output of what you see when you run the daemon manually (duh lol) so although it does disclose local server paths to hosting directories, hosted domain names and log file locations this doesn't disclose 'personal information' as such so although this will be fixed ASAP I do not deem this as a 'security risk' as such.

Cheers,
Bobby

---

TumTum said:

RE: daemon.php - /etc/zpanel/panel/bin/
For people:

Add: RewriteRule ^bin/daemon.php$ [L]
in /etc/zpanel/panel/.htaccess

With this rule, the daemon is blocked in your webbrowser.
So SSH: php -q /etc/zpanel/panel/bin/daemon.php

This works too for full bin directory + file:
RewriteRule ^(bin/) - [F,L,NC]

Or send the abuser to a funny website:
Redirect 301 /bin/daemon.php http://frankly.pitas.com/

But you will fix issues like this in the next release? Because for other users it is maybe a security risk.

---

ballen said:

Absolutely, this will be blocked in the next release (goes without saying Smile)

Cheers,
Bobby
Bobby Allen
ZPanel Head Developer & Project Leader

---

---- this is the fix i used --------

MathDerVakker said:

My solution:
If you want to block all direct access to daemon but still want the daemon to work in Zpanel itself.
Just put this .htaccess file in the 'bin' directory (on Centos: /etc/zpanel/panel/bin)

AuthType Basic <LIMIT GET> order deny,allow deny from all allow from localhost allow from 127.0.0.1 </LIMIT>

Saiku

Why am I not surprised...

Mun

There is a whole thread on here on why not to use zpanel.

http://lowendtalk.com/discussion/10391/the-security-trainwreck-that-is-zpanel

ahhh there it is! ^^

As such, you are frankly an idiot for using it....

Mun

perennate

The security issue is information disclosure (hosted domain names and log file paths). It's an issue but not a severe one.

jar

They just keep getting comfortable thinking it's production ready when it just isn't. It has a ton of potential, if they'd work harder. Charge money, close the source, if that's what you have to do. Half assing it just isn't an answer.

fisle

@jarland said:
They just keep getting comfortable thinking it's production ready when it just isn't. It has a ton of potential, if they'd work harder. Charge money, close the source, if that's what you have to do. Half assing it just isn't an answer.

I think nobody in their right mind should/would buy it if it's closed source, because of the [past] security risks. Oh well except people still use WHMCS and SolusVM, so maybe they would. I know I wouldn't