Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Sentora (Alternative to ZPanel) Warning
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Sentora (Alternative to ZPanel) Warning

MikePTMikePT Moderator, Patron Provider, Veteran

From HostingSecList,

General Security Warning

We are issuing a general security warning to all users of Sentora to bring attention to the lack of security within their software.

Sentora, a fork of ZPanel, contains numerous high priority security vulnerabilities that could allow any untrusted users to obtain root access with little to no effort. In one case, a highly publicized security vulnerability that was present within ZPanel still exists in Sentora.

The use of this control panel in an untrusted environment is a bad idea and we must strongly discourage such activity at this time. Sentora is NOT ready for production use in the 'real world' and continued use will put you at risk of being compromised.

We're seeing Sentora be recommended more frequently on various forums; Please stop that until further notice. Normally we do not issue a general security warning, but due to the continued recommendations and lack of knowledge by the developer(s), we simply cannot allow such insecure software to plague the hosting community.

Discussion in WHT: http://www.webhostingtalk.com/showthread.php?p=9399137

«13

Comments

  • wychwych Member
    edited March 2015

    @Me_B this give an insight into the security issues I asked about?

  • my question is - what "high priority security vulnerabilities" ?

    that WHT poster does not show any examples at his site www.HostingSecList.com

  • Doesn't surprise me one bit. Same developers, Same code, Same crap.

  • mikhomikho Member, Host Rep

    @Mark_R said:
    my question is - what "high priority security vulnerabilities" ?

    that WHT poster does not show any examples at his site www.HostingSecList.com

    Patrick works for Rack911, I'm sure they won't show examples until the developers has been informed and had decent time to update the code.

    Thanked by 3Licensecart MikePT lbft
  • edanedan Member

    @Mark_R said:
    my question is - what "high priority security vulnerabilities" ?

    that WHT poster does not show any examples at his site www.HostingSecList.com

    Agreed with this.

  • sinsin Member

    @Mark_R said:
    my question is - what "high priority security vulnerabilities" ?

    that WHT poster does not show any examples at his site www.HostingSecList.com

    Patrick is pretty trusted and is good at what he does so I'm sure he has a valid reason for his warning.

  • MunMun Member

    There has been a few comments over the pasts months suggesting sentora could be fully used to get to root access in less then 15 minutes. Though I do not know if the 15 minutes was to find the actual bug in the code, or if the 15 minutes is how long it takes to exploit it. I think the first option. None the less, it has already been stated on this forum that sentora has been tested and can be used to garner root access.

  • I can't say I'm shocked to hear this. They should consider putting security-focused developers on, and maybe it won't turn out as bad.

    My opinions are mine and mine alone, and should not reflect my company, employer, or any of it's affiliates.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @mikho said:
    Patrick works for Rack911, I'm sure they won't show examples until the developers has been informed and had decent time to update the code.

    Agreed. Rack911 are pretty reliable.

  • mikhomikho Member, Host Rep

    @MrGeneral said:
    Agreed. Rack911 are pretty reliable.

    Fixed that for you :)

    Thanked by 2Licensecart MikePT
  • MikePTMikePT Moderator, Patron Provider, Veteran

    @mikho said:
    Fixed that for you :)

    Thank you :P

  • MaouniqueMaounique Host Rep, Veteran

    TBH, we had much fewer cases of hacked zpanel/sentora installations lately. I do not know if this is because people learned the lesson or it is indeed a bit better in security, from what i read here, i think the former case applies.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    CentOS Web Panel is rather AWESOME than this crap !

  • jarjar Patron Provider, Top Host, Veteran
    edited March 2015

    We all suspected the probability but I would prefer the usual style of "found X vulnerability, is of Y priority" myself. Maybe it's worthy of a generic warning, maybe he's actually basing this off of conversations with the developer. I would hope so, otherwise it doesn't read entirely mature in nature. That's just my honest opinion.

    My honest advice to the writer, be specific and straight forward. "I found X number of vulnerabilities that allow root privilege escalation" and move on. It is rather important that a developer be expected to quickly fix these issues and then shamed when they do not. The facts and expectation should come before the shaming.

    Given where they forked code from, I am particularly interested in whether they deserve the shame or whether they will step up and get to work.

    Thanked by 1perennate
  • mikhomikho Member, Host Rep

    There was a previous case where Patrick and rack911 posted a thread with a warning to users of a software (which one I don't remember) on WHT.

    In that case they had contacted the developer but the dev never replied back. Something like that, can't remember the details of that story. Created a very long thread at WHT.

  • @mikho said:
    There was a previous case where Patrick and rack911 posted a thread with a warning to users of a software (which one I don't remember) on WHT.

    In that case they had contacted the developer but the dev never replied back. Something like that, can't remember the details of that story. Created a very long thread at WHT.

    It was for Zamfoo (WHM master reseller addon):
    http://www.webhostingtalk.com/showthread.php?t=1275572

    Thanked by 2mikho RaidLogic
  • Me_BMe_B Member

    Hi guys,

    I see that the discussion is starting at WHT and didn't get any example of flaw until now. All is again "developers attitude"! Mainly due to the clash of one member of the team (doing support) over a flaw report. I had tried to get low end users some feedback over that and asked more than once if they knew a FLAW on zpanel 10.1.1 ( latest that got fixes) or sentora and we got no report and hints. Only "it's know zpanel/sentora is insecure crap" and I see it again more and more.

    I sent a PM to Patrick on WHT hoping he give more insight for any potential flaw so we fix it. Hope I got more infos or even recommendation how we could improve security.

    M B

  • Me_BMe_B Member

    Ok I see already over Zamfoo "We reported two critical security vulnerabilities to Zamfoo approximately two weeks ago"

    If you read carefully patrick warning you will see no vulnerabies like RCE report but a risk of user escalation privilege.

  • Me_BMe_B Member

    @Maounique said:
    TBH, we had much fewer cases of hacked zpanel/sentora installations lately. I do not know if this is because people learned the lesson or it is indeed a bit better in security, from what i read here, i think the former case applies.

    Zpanel got a lot of panels hacked mainly old 10.0.2/10.1.0 ( since we got 2 main releases zpanel 10.1.1 that fixed RCE flaws and sentora/update). Since 10.1.0 we didn't get a report of vulnerabilities in the panel. Hope some can see that it's related to releases dating back to pre-2013.

    I'm again happy to hear any feedback over issues in zpanel 10.1.1 or sentora 1.0. I Think I said it already a lot here and still no reports.

    M B

  • That was one HECK of a read you did there.

  • @Me_B said:
    Zpanel got a lot of panels hacked mainly old 10.0.2/10.1.0 ( since we got 2 main releases zpanel 10.1.1 that fixed RCE flaws and sentora/update). Since 10.1.0 we didn't get a report of vulnerabilities in the panel. Hope some can see that it's related to releases dating back to pre-2013.

    >

    I'm again happy to hear any feedback over issues in zpanel 10.1.1 or sentora 1.0. I Think I said it already a lot here and still no reports

    I'm sorry but ZPanel and Sentora are walking security flaws, period. Same developers, same shitty attitude, same crappy software. If you really want that demonstrated, just keep asking for it.

  • jarjar Patron Provider, Top Host, Veteran

    @kaniini said:
    If you really want that demonstrated, just keep asking for it.

    I think he does and I don't think it's an unreasonable request that those who make accusations back them with evidence. I do not doubt your conclusion, but I believe it is only fair to back it up.

    Thanked by 4netomx Lee iKeyZ Amitz
  • @Jar said:
    I think he does and I don't think it's an unreasonable request that those who make accusations back them with evidence. I do not doubt your conclusion, but I believe it is only fair to back it up.

    We need Localhost.re back... :D He would post them on his website for everyone to know about it.

    Thanked by 1MikePT
  • @kaniini said:
    Same developers, same shitty attitude, same crappy software.

    Give them a break. They're trying to improve.
    As far as I know Sentora have reorganized previous ZPanel dev team

  • MaouniqueMaounique Host Rep, Veteran

    Licensecart said: We need Localhost.re back...

    I was also on the opinion that disclosing vulnerabilities weakens governments and criminals which are likely to use them for their own purposes and developers are either unaware or unwilling to repair them for various reasons ranging from "nobody will ever think of that" to "if we release a patch so early after release, people will say we are incompetent".

    Full disclosure benefits everyone, except governments and criminals. When there is a history of unwillingness, you dont even owe a few days notice, solus learned the lesson in the end.

    Thanked by 1MikePT
  • tommytommy Member

    from WHT

    Emails were sent on March 12 to Bobby Allen (info[at]sentora.org) showing the security issue with the world writable directories, bringing up the zsudo mess and the input validation failure within the MySQL feature.
    
    Three major security flaws, two of which are simply inexcusable - the world writable directories for the actual program (!) and the zsudo flaw which originated back in ZPanel.
    
    Did Bobby not inform you of these? I know he got our emails since he replied to one of them...
    
    I got your PM and I'll reply in more detail when I can,
    
    Edit:
    
    There were a total of 4 emails sent, the last one being March 16.
    

    Bob got email, but I don't get any email? WTF? setup alias :)

  • RalliasRallias Member
    edited March 2015

    Not looking for explicit exploits, but found some really fucking shitty coding practices.

    https://github.com/sentora/sentora-core/blob/1.0.0/dryden/db/builder.class.php#L33

    There, you see a case where yes, they used PDO... in completely the wrong fucking way.

    Inb4 code might have updated complaints.

    But yeah, good on sentora for using PDO. clap clap

    EDIT: Oh, and this charmer. https://github.com/sentora/sentora-installers/blob/master/sentora_install.sh#L316

    EDIT 2: I'm fairly sure this one counts as a vuln. https://github.com/sentora/sentora-installers/blob/master/sentora_install.sh#L536

    LD_PRELOAD=ld_bullshit_that_overrides_used_function.so zsudo whatnot
    

    EDIT 3: Just asked, that doesn't need LD_PRELOAD to do it's dirty work. Same difference. I didn't bother to read zsudo.c's code. But, in that case,

    http://seclists.org/fulldisclosure/2013/Jun/39

    Any claim to say that all of ZPanel's reported vulnerabilities were fixed, what's the verdict?

    BULLSHIT, BULLSHIT, BULLSHIT.

  • joepie91joepie91 Member, Patron Provider
    edited March 2015

    Me_B said: All is again "developers attitude"!

    When one constantly gets the same criticism from different people, one should perhaps start to wonder whether the criticism may be correct and do something about it - rather than just complaining about the criticism.

    I had tried to get low end users some feedback over that and asked more than once if they knew a FLAW on zpanel 10.1.1 ( latest that got fixes) or sentora and we got no report and hints. Only "it's know zpanel/sentora is insecure crap" and I see it again more and more.

    zsudo always was and still is a giant security risk. As of yet, it hasn't been replaced by sudo. Evidently reported issues are not fixed, either.

    KwiceroLTD said: They should consider putting security-focused developers on, and maybe it won't turn out as bad.

    They already have one, CaffeineAddict (he has a different nickname now, but has moved over to Sentora as well). I suspect the other developers still aren't listening to him enough, like was the case with ZPanel. You can have security-minded developers on your team, but if the attitude of the rest of the team is rotten, you still won't end up with good software.

    Thanked by 2MikePT KwiceroLTD
  • Me_BMe_B Member
    edited March 2015

    @joepie91 well zsudo will fixed for ever within weeks. We had been running an audit to identify all calls to zsudo. My self I don't understand the need for such a big gun while the core needed mainly to restart apache/bind.

    It was supposed to be fixed en Feb but the 2 main dev working on it were to busy ( me and Pascal).

    I don't like my self having that running. There also more changes to come to add more sandboxing and complicated any hacker getting in.

    I Won't downplay this but it's a privilege escalation here issue not an RCE AND WILL BE FIXED as it should be.

    The solution will be to remove completly zsudo and replacing it by a bash that will filter input and do only service restart/reload as needed.

    Notice @joepie91 I've been here since a while and requested feedback and no one beside zsudo pointed vulnerabities, but zsudo and there would be soon a lot of changes as I said previously to add more containement and reducing all used privileges.

    M B

Sign In or Register to comment.