Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there. I mean specially if the other parts of the code use this kind of query concatenation.
@Hxxx said:
Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.
Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.
Yeah well maybe not specially in this code since there is not much user input there but the technique , he is concatenating the query. In Utopia he would be using parameters and prepared SQL queries/command.statements at minimum. Now what about the rest of the code... if is like this... thats a big yikes. Anyway is open source right? Anybody can put a patch.
@Hxxx said:
Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.
Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.
@Hxxx said:
Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.
Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.
@Hxxx said:
Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.
Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.
@Hxxx said:
Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.
Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.
@Hxxx said:
Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.
Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.
He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon
@emgh said:
He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon
Sorry but its not for free. He is part of LiteSpeed and they do charge for the Enterprise licenses. They just give the alternative to run it free of cost with OpenLiteSpeed and a free tier with the Enterprise version.
Its a business with a free version, call it what you would like to. Offering a free version and free tier of the Enterprise version is just marketing.
Their obligation is to keep it as secure as possible. I am not a coder at all but my understanding is that the vulnerability pointed here is really bad and no serious programmer would have done such basic mistake.
Dont get me wrong @emgh, you may have never heard of their paid licenses and being part of LiteSpeed but it is what it is and these are just my 50cents. Yeah boy.
emgh said: He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon
@emgh said:
He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon
Sorry but its not for free. He is part of LiteSpeed and they do charge for the Enterprise licenses. They just give the alternative to run it free of cost with OpenLiteSpeed and a free tier with the Enterprise version.
Its a business with a free version, call it what you would like to. Offering a free version and free tier of the Enterprise version is just marketing.
Their obligation is to keep it as secure as possible. I am not a coder at all but my understanding is that the vulnerability pointed here is really bad and no serious programmer would have done such basic mistake.
Dont get me wrong @emgh, you may have never heard of their paid licenses and being part of LiteSpeed but it is what it is and these are just my 50cents. Yeah boy.
Cheers
Sure I guess you're right. I wouln't go so hard on him though this panel is probably not really anything that's profitable for them.
@emgh said:
He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon
Sorry but its not for free. He is part of LiteSpeed and they do charge for the Enterprise licenses. They just give the alternative to run it free of cost with OpenLiteSpeed and a free tier with the Enterprise version.
Its a business with a free version, call it what you would like to. Offering a free version and free tier of the Enterprise version is just marketing.
Their obligation is to keep it as secure as possible. I am not a coder at all but my understanding is that the vulnerability pointed here is really bad and no serious programmer would have done such basic mistake.
Dont get me wrong @emgh, you may have never heard of their paid licenses and being part of LiteSpeed but it is what it is and these are just my 50cents. Yeah boy.
Cheers
Sure I guess you're right. I wouln't go so hard on him though this panel is probably not really anything that's profitable for them.
I was very close to purchase a paid license. And close to move to CyberPanel. I am glad I did not. He needs to seek help from his colleagues to double check his code. I understand he/they may have good intentions but in the end, its for business and businesses rely on them too. Whether it is profitable or not its not our concern. At this moment it is not viable. I truly hope they figure it out as I actually like their panel and effort for building an alternative. Its such a responsibility though, even more when you are selling it.
He'll come around with fixes. He is probably fixing that code now. Hopefully. Is not like cPanel was perfect at any time anyways, but they were given time to fix it.
I forgot to mention their Premium Cloud link in the header. Goes to www.cyberhosting.org, what a non sense.
You cant even advertise CyberPanel as a Panel to your clients, they might just signup with cyberhosting.
Yeah, a total business. Not sure about the complete affiliation with LiteSpeed. I was told that was the case from a very legit source. Still, profit from LiteSpeed and CyberPanel bundles and even more from the Premium Cloud.
Sorry but, CyberPanel guy, stop selling it, advise your Premium Cloud customers to disable it for now and fix your damn shit.
I'm just pointing some code that may put customers and businesses in danger. It's certainly a lot of work to develop a control panel. And I am not minimizing his effort.
So after the cPanel price hike, many people requested a security review of CyberPanel from Patrick (rack911labs). 2 days ago he sent us a detailed report of the issues in CyberPanel.
So we started working on fixing them. Just to clear some confusions.
Some people think that CyberPanel runs as root or sudo user because some commands use sudo in them. CyberPanel itself does not run as root or sudo user, however, since it is an old code sudo still remains as part of some commands.
So for functions that require root escalation CyberPanel contact LSCPD daemon which runs as root (it is a modified version of OpenLiteSpeed) which then runs the commands. However some functions can be run not as root, we have reviewed and adjusted in this release. LSCPD can drop privileges to run those commands.
For communication, UDS socket is used with an authorization token.
There was input sanitization earlier as well but it turns out to be not enough. Sanitization was not at function level it was performed using DJANGO middleware. But it is much better now.
We've thoroughly gone through the mentioned issues and produced quick release to address those issues. Summary of what we've done
All the functions available to normal users that require shell now run as that user by passing external app user to drop privileges through LSCPD.
Strong sanitization.
Some functions are further split where root escalation is required they are then called with root privileges.
We have just released the version, due to major changes there might be minor bugs here and there, but we can quickly fix them as soon as something is pointed out.
For MySQL CyberPanel uses DJANGO ORM. There are some instances where raw queries are used, but they are looked out for.
Since this is a quick release to cover the majority of things they discovered (we are very thankful for that). We will dig deeper to do more thorough reviews. Any feedback is appreciated and we'll try to fix ASAP. Meanwhile, we encourage everyone to upgrade to this safer version.
We also thank the great community support, that really motivates us to make CyberPanel better and more secure.
Finally, much thanks to Rack911labs. Will further reach out to Rack911labs for further review of changes to make sure everything is in the right order.
@niceboy said: @cyberpersons, is there any guide on how to use apache as proxy with cyberpanel? Is this exclusive to your cyberhosting hosting company?
Comments
There was something on WHT from Patrick (Rack911) who said do not use CyberPanel at the moment but no further details given
Then Steven confirmed. Not sure what they've found out but I would NOT use it as well if they are recommending not to.
http://www.webhostingtalk.com/showthread.php?t=1770316&p=10158705#post10158705
Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there. I mean specially if the other parts of the code use this kind of query concatenation.
Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.
Yeah well maybe not specially in this code since there is not much user input there but the technique , he is concatenating the query. In Utopia he would be using parameters and prepared SQL queries/command.statements at minimum. Now what about the rest of the code... if is like this... thats a big yikes. Anyway is open source right? Anybody can put a patch.
No code should concatenate strings to form SQL queries as it's a vulnerability that can be exploited through SQL injection: https://en.wikipedia.org/wiki/SQL_injection
In Python he should have used an ORM like https://www.sqlalchemy.org/
Yeah thats a bigggggggggggggggggggg yikes. But well maybe the other parts of the code are done correctly?
I doubt. That file is full of SQL string concatenation.
Well, too bad. This is a sign of "less" experienced developer and it's indeed hard to put your trust in that code.
This sounds like Kloxo all over again.
Mod edit. Removed inappropriate comment.
@cyberpersons can you provide an update regarding the message from Rack911 and what others have said here?
Thanks guys, I appreciate the brief explanation. Looks bad indeed.
He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon
Sorry but its not for free. He is part of LiteSpeed and they do charge for the Enterprise licenses. They just give the alternative to run it free of cost with OpenLiteSpeed and a free tier with the Enterprise version.
Its a business with a free version, call it what you would like to. Offering a free version and free tier of the Enterprise version is just marketing.
Their obligation is to keep it as secure as possible. I am not a coder at all but my understanding is that the vulnerability pointed here is really bad and no serious programmer would have done such basic mistake.
Dont get me wrong @emgh, you may have never heard of their paid licenses and being part of LiteSpeed but it is what it is and these are just my 50cents. Yeah boy.
Cheers
Not free bro..
https://cyberpanel.net/cyberpanel-enterprise/
Sure I guess you're right. I wouln't go so hard on him though this panel is probably not really anything that's profitable for them.
It's still fine if you are the only user.
But if you are going to use it to sell web hosting you may wanna think twice.
I was very close to purchase a paid license. And close to move to CyberPanel. I am glad I did not. He needs to seek help from his colleagues to double check his code. I understand he/they may have good intentions but in the end, its for business and businesses rely on them too. Whether it is profitable or not its not our concern. At this moment it is not viable. I truly hope they figure it out as I actually like their panel and effort for building an alternative. Its such a responsibility though, even more when you are selling it.
He'll come around with fixes. He is probably fixing that code now. Hopefully. Is not like cPanel was perfect at any time anyways, but they were given time to fix it.
I forgot to mention their Premium Cloud link in the header. Goes to www.cyberhosting.org, what a non sense.
You cant even advertise CyberPanel as a Panel to your clients, they might just signup with cyberhosting.
Yeah, a total business. Not sure about the complete affiliation with LiteSpeed. I was told that was the case from a very legit source. Still, profit from LiteSpeed and CyberPanel bundles and even more from the Premium Cloud.
Sorry but, CyberPanel guy, stop selling it, advise your Premium Cloud customers to disable it for now and fix your damn shit.
cyberhosting is very confusing. first they touted platform optimization, then moved it entirely to paid cyberhosting
@lonea I dont think that comment was called for. Suicide is not a matter to joke around with how ever way you put it.
Last comment here as I dont want to insist further.
Totally agree with you.
Why do you think I was joking ?
There was no LOL, hahaha.
Stating something that happened in the past doesn't mean it's a joke.
Out of all things that's been said on here (racist things included), you are trying to call me out?
Give me a break.
I'm just pointing some code that may put customers and businesses in danger. It's certainly a lot of work to develop a control panel. And I am not minimizing his effort.
Hello
So after the cPanel price hike, many people requested a security review of CyberPanel from Patrick (rack911labs). 2 days ago he sent us a detailed report of the issues in CyberPanel.
So we started working on fixing them. Just to clear some confusions.
So for functions that require root escalation CyberPanel contact LSCPD daemon which runs as root (it is a modified version of OpenLiteSpeed) which then runs the commands. However some functions can be run not as root, we have reviewed and adjusted in this release. LSCPD can drop privileges to run those commands.
For communication, UDS socket is used with an authorization token.
There was input sanitization earlier as well but it turns out to be not enough. Sanitization was not at function level it was performed using DJANGO middleware. But it is much better now.
We've thoroughly gone through the mentioned issues and produced quick release to address those issues. Summary of what we've done
We have just released the version, due to major changes there might be minor bugs here and there, but we can quickly fix them as soon as something is pointed out.
Since this is a quick release to cover the majority of things they discovered (we are very thankful for that). We will dig deeper to do more thorough reviews. Any feedback is appreciated and we'll try to fix ASAP. Meanwhile, we encourage everyone to upgrade to this safer version.
We also thank the great community support, that really motivates us to make CyberPanel better and more secure.
Finally, much thanks to Rack911labs. Will further reach out to Rack911labs for further review of changes to make sure everything is in the right order.
Thank you.
Look at you, good job.
@cyberpersons, is there any guide on how to use apache as proxy with cyberpanel? Is this exclusive to your cyberhosting hosting company?
@cyberpersons great attitude. Congrats and good luck with your project!
Hi @niceboy currently we have a discussion on the forum about it, feel free to come and participate https://forums.cyberpanel.net/discussion/1485/apache-as-backend