All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Sentora (Alternative to ZPanel) Warning
From HostingSecList,
General Security Warning
We are issuing a general security warning to all users of Sentora to bring attention to the lack of security within their software.
Sentora, a fork of ZPanel, contains numerous high priority security vulnerabilities that could allow any untrusted users to obtain root access with little to no effort. In one case, a highly publicized security vulnerability that was present within ZPanel still exists in Sentora.
The use of this control panel in an untrusted environment is a bad idea and we must strongly discourage such activity at this time. Sentora is NOT ready for production use in the 'real world' and continued use will put you at risk of being compromised.
We're seeing Sentora be recommended more frequently on various forums; Please stop that until further notice. Normally we do not issue a general security warning, but due to the continued recommendations and lack of knowledge by the developer(s), we simply cannot allow such insecure software to plague the hosting community.
Discussion in WHT: http://www.webhostingtalk.com/showthread.php?p=9399137
Comments
@Me_B
@Me_B this give an insight into the security issues I asked about?
my question is - what "high priority security vulnerabilities" ?
that WHT poster does not show any examples at his site www.HostingSecList.com
Doesn't surprise me one bit. Same developers, Same code, Same crap.
Patrick works for Rack911, I'm sure they won't show examples until the developers has been informed and had decent time to update the code.
Agreed with this.
Patrick is pretty trusted and is good at what he does so I'm sure he has a valid reason for his warning.
There has been a few comments over the pasts months suggesting sentora could be fully used to get to root access in less then 15 minutes. Though I do not know if the 15 minutes was to find the actual bug in the code, or if the 15 minutes is how long it takes to exploit it. I think the first option. None the less, it has already been stated on this forum that sentora has been tested and can be used to garner root access.
I can't say I'm shocked to hear this. They should consider putting security-focused developers on, and maybe it won't turn out as bad.
My opinions are mine and mine alone, and should not reflect my company, employer, or any of it's affiliates.
Agreed. Rack911 are pretty reliable.
Fixed that for you
Thank you :P
TBH, we had much fewer cases of hacked zpanel/sentora installations lately. I do not know if this is because people learned the lesson or it is indeed a bit better in security, from what i read here, i think the former case applies.
CentOS Web Panel is rather AWESOME than this crap !
We all suspected the probability but I would prefer the usual style of "found X vulnerability, is of Y priority" myself. Maybe it's worthy of a generic warning, maybe he's actually basing this off of conversations with the developer. I would hope so, otherwise it doesn't read entirely mature in nature. That's just my honest opinion.
My honest advice to the writer, be specific and straight forward. "I found X number of vulnerabilities that allow root privilege escalation" and move on. It is rather important that a developer be expected to quickly fix these issues and then shamed when they do not. The facts and expectation should come before the shaming.
Given where they forked code from, I am particularly interested in whether they deserve the shame or whether they will step up and get to work.
There was a previous case where Patrick and rack911 posted a thread with a warning to users of a software (which one I don't remember) on WHT.
In that case they had contacted the developer but the dev never replied back. Something like that, can't remember the details of that story. Created a very long thread at WHT.
It was for Zamfoo (WHM master reseller addon):
http://www.webhostingtalk.com/showthread.php?t=1275572
Hi guys,
I see that the discussion is starting at WHT and didn't get any example of flaw until now. All is again "developers attitude"! Mainly due to the clash of one member of the team (doing support) over a flaw report. I had tried to get low end users some feedback over that and asked more than once if they knew a FLAW on zpanel 10.1.1 ( latest that got fixes) or sentora and we got no report and hints. Only "it's know zpanel/sentora is insecure crap" and I see it again more and more.
I sent a PM to Patrick on WHT hoping he give more insight for any potential flaw so we fix it. Hope I got more infos or even recommendation how we could improve security.
M B
Ok I see already over Zamfoo "We reported two critical security vulnerabilities to Zamfoo approximately two weeks ago"
If you read carefully patrick warning you will see no vulnerabies like RCE report but a risk of user escalation privilege.
Zpanel got a lot of panels hacked mainly old 10.0.2/10.1.0 ( since we got 2 main releases zpanel 10.1.1 that fixed RCE flaws and sentora/update). Since 10.1.0 we didn't get a report of vulnerabilities in the panel. Hope some can see that it's related to releases dating back to pre-2013.
I'm again happy to hear any feedback over issues in zpanel 10.1.1 or sentora 1.0. I Think I said it already a lot here and still no reports.
M B
That was one HECK of a read you did there.
>
I'm sorry but ZPanel and Sentora are walking security flaws, period. Same developers, same shitty attitude, same crappy software. If you really want that demonstrated, just keep asking for it.
I think he does and I don't think it's an unreasonable request that those who make accusations back them with evidence. I do not doubt your conclusion, but I believe it is only fair to back it up.
We need Localhost.re back... He would post them on his website for everyone to know about it.
Give them a break. They're trying to improve.
As far as I know Sentora have reorganized previous ZPanel dev team
I was also on the opinion that disclosing vulnerabilities weakens governments and criminals which are likely to use them for their own purposes and developers are either unaware or unwilling to repair them for various reasons ranging from "nobody will ever think of that" to "if we release a patch so early after release, people will say we are incompetent".
Full disclosure benefits everyone, except governments and criminals. When there is a history of unwillingness, you dont even owe a few days notice, solus learned the lesson in the end.
from WHT
Bob got email, but I don't get any email? WTF? setup alias
Not looking for explicit exploits, but found some really fucking shitty coding practices.
https://github.com/sentora/sentora-core/blob/1.0.0/dryden/db/builder.class.php#L33
There, you see a case where yes, they used PDO... in completely the wrong fucking way.
Inb4 code might have updated complaints.
But yeah, good on sentora for using PDO. clap clap
EDIT: Oh, and this charmer. https://github.com/sentora/sentora-installers/blob/master/sentora_install.sh#L316
EDIT 2: I'm fairly sure this one counts as a vuln. https://github.com/sentora/sentora-installers/blob/master/sentora_install.sh#L536
EDIT 3: Just asked, that doesn't need LD_PRELOAD to do it's dirty work. Same difference. I didn't bother to read zsudo.c's code. But, in that case,
http://seclists.org/fulldisclosure/2013/Jun/39
Any claim to say that all of ZPanel's reported vulnerabilities were fixed, what's the verdict?
BULLSHIT, BULLSHIT, BULLSHIT.
When one constantly gets the same criticism from different people, one should perhaps start to wonder whether the criticism may be correct and do something about it - rather than just complaining about the criticism.
zsudo
always was and still is a giant security risk. As of yet, it hasn't been replaced bysudo
. Evidently reported issues are not fixed, either.They already have one, CaffeineAddict (he has a different nickname now, but has moved over to Sentora as well). I suspect the other developers still aren't listening to him enough, like was the case with ZPanel. You can have security-minded developers on your team, but if the attitude of the rest of the team is rotten, you still won't end up with good software.
@joepie91 well zsudo will fixed for ever within weeks. We had been running an audit to identify all calls to zsudo. My self I don't understand the need for such a big gun while the core needed mainly to restart apache/bind.
It was supposed to be fixed en Feb but the 2 main dev working on it were to busy ( me and Pascal).
I don't like my self having that running. There also more changes to come to add more sandboxing and complicated any hacker getting in.
I Won't downplay this but it's a privilege escalation here issue not an RCE AND WILL BE FIXED as it should be.
The solution will be to remove completly zsudo and replacing it by a bash that will filter input and do only service restart/reload as needed.
Notice @joepie91 I've been here since a while and requested feedback and no one beside zsudo pointed vulnerabities, but zsudo and there would be soon a lot of changes as I said previously to add more containement and reducing all used privileges.
M B