Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


CyberPanel - Control Panel Based on OpenLiteSpeed [Updated!] - Page 25
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

CyberPanel - Control Panel Based on OpenLiteSpeed [Updated!]

12325272829

Comments

  • There was something on WHT from Patrick (Rack911) who said do not use CyberPanel at the moment but no further details given

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @intovps said:
    No ORM in 2019?

                cursor.execute("CREATE DATABASE " + dbname)
                cursor.execute("CREATE USER '" + dbuser + "'@'localhost' IDENTIFIED BY '"+dbpassword+"'")
                cursor.execute("GRANT ALL PRIVILEGES ON " + dbname + ".* TO '" + dbuser + "'@'localhost'")
                connection.close()
    

    https://github.com/usmannasir/cyberpanel/blob/1.8.0/plogical/mysqlUtilities.py#L74

    You're leaving the door open. There's gonna be a party on your servers and everyone's invited.

    @LeonDynamic said:
    There was something on WHT from Patrick (Rack911) who said do not use CyberPanel at the moment but no further details given

    Then Steven confirmed. Not sure what they've found out but I would NOT use it as well if they are recommending not to.

    Thanked by 1intovps
  • HxxxHxxx Member
    edited July 2019

    Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there. I mean specially if the other parts of the code use this kind of query concatenation.

    Thanked by 1intovps
  • MikePTMikePT Moderator, Patron Provider, Veteran

    @Hxxx said:
    Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.

    Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.

  • HxxxHxxx Member
    edited July 2019

    Yeah well maybe not specially in this code since there is not much user input there but the technique , he is concatenating the query. In Utopia he would be using parameters and prepared SQL queries/command.statements at minimum. Now what about the rest of the code... if is like this... thats a big yikes. Anyway is open source right? Anybody can put a patch.

    @MikePT said:

    @Hxxx said:
    Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.

    Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.

    Thanked by 1MikePT
  • intovpsintovps Member, Host Rep

    @MikePT said:

    @Hxxx said:
    Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.

    Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.

    No code should concatenate strings to form SQL queries as it's a vulnerability that can be exploited through SQL injection: https://en.wikipedia.org/wiki/SQL_injection

    In Python he should have used an ORM like https://www.sqlalchemy.org/

    Thanked by 2Hxxx MikePT
  • HxxxHxxx Member

    Yeah thats a bigggggggggggggggggggg yikes. But well maybe the other parts of the code are done correctly?

    @intovps said:

    @MikePT said:

    @Hxxx said:
    Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.

    Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.

    No code should concatenate strings to form SQL queries as it's a vulnerability that can be exploited through SQL injection: https://en.wikipedia.org/wiki/SQL_injection

    In Python he should have used an ORM like https://www.sqlalchemy.org/

    Thanked by 1MikePT
  • intovpsintovps Member, Host Rep
    edited July 2019

    @Hxxx said:
    Yeah thats a bigggggggggggggggggggg yikes. But well maybe the other parts of the code are done correctly?

    @intovps said:

    @MikePT said:

    @Hxxx said:
    Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.

    Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.

    No code should concatenate strings to form SQL queries as it's a vulnerability that can be exploited through SQL injection: https://en.wikipedia.org/wiki/SQL_injection

    In Python he should have used an ORM like https://www.sqlalchemy.org/

    I doubt. That file is full of SQL string concatenation.

    Well, too bad. This is a sign of "less" experienced developer and it's indeed hard to put your trust in that code.

    Thanked by 2MikePT Kwoon
  • lonealonea Member, Host Rep
    edited July 2019

    This sounds like Kloxo all over again.

    Mod edit. Removed inappropriate comment.

    Thanked by 1intovps
  • @cyberpersons can you provide an update regarding the message from Rack911 and what others have said here?

    Thanked by 1PieHasBeenEaten
  • MikePTMikePT Moderator, Patron Provider, Veteran

    @intovps said:

    @Hxxx said:
    Yeah thats a bigggggggggggggggggggg yikes. But well maybe the other parts of the code are done correctly?

    @intovps said:

    @MikePT said:

    @Hxxx said:
    Brother... at first look you don't even have to be a developer / programmer to notice that's some serious SQL Injection vulnerability right there.

    Well, I don't code, so I'm not getting what's wrong there, I'm only able to read the code and understanding what it does, more or less.

    No code should concatenate strings to form SQL queries as it's a vulnerability that can be exploited through SQL injection: https://en.wikipedia.org/wiki/SQL_injection

    In Python he should have used an ORM like https://www.sqlalchemy.org/

    I doubt. That file is full of SQL string concatenation.

    Well, too bad. This is a sign of "less" experienced developer and it's indeed hard to put your trust in that code.

    Thanks guys, I appreciate the brief explanation. Looks bad indeed.

  • emghemgh Member

    He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon

    Thanked by 1PhilNW
  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited July 2019

    @emgh said:
    He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon

    Sorry but its not for free. He is part of LiteSpeed and they do charge for the Enterprise licenses. They just give the alternative to run it free of cost with OpenLiteSpeed and a free tier with the Enterprise version.
    Its a business with a free version, call it what you would like to. Offering a free version and free tier of the Enterprise version is just marketing.

    Their obligation is to keep it as secure as possible. I am not a coder at all but my understanding is that the vulnerability pointed here is really bad and no serious programmer would have done such basic mistake.

    Dont get me wrong @emgh, you may have never heard of their paid licenses and being part of LiteSpeed but it is what it is and these are just my 50cents. Yeah boy.

    Cheers

    Thanked by 1emgh
  • lonealonea Member, Host Rep

    Not free bro..

    https://cyberpanel.net/cyberpanel-enterprise/

    emgh said: He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon

  • emghemgh Member

    @MikePT said:

    @emgh said:
    He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon

    Sorry but its not for free. He is part of LiteSpeed and they do charge for the Enterprise licenses. They just give the alternative to run it free of cost with OpenLiteSpeed and a free tier with the Enterprise version.
    Its a business with a free version, call it what you would like to. Offering a free version and free tier of the Enterprise version is just marketing.

    Their obligation is to keep it as secure as possible. I am not a coder at all but my understanding is that the vulnerability pointed here is really bad and no serious programmer would have done such basic mistake.

    Dont get me wrong @emgh, you may have never heard of their paid licenses and being part of LiteSpeed but it is what it is and these are just my 50cents. Yeah boy.

    Cheers

    Sure I guess you're right. I wouln't go so hard on him though this panel is probably not really anything that's profitable for them.

    Thanked by 1MikePT
  • vovlervovler Member

    It's still fine if you are the only user.
    But if you are going to use it to sell web hosting you may wanna think twice.

    Thanked by 3emgh MikePT andiklive
  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited July 2019

    @emgh said:

    @MikePT said:

    @emgh said:
    He's doing this for free though, everyone is allowed in and fork and fix. I am impressed he's still going strong with this. And did you really think a program with one developer that's also free would be as secure as a corps software? C'mon

    Sorry but its not for free. He is part of LiteSpeed and they do charge for the Enterprise licenses. They just give the alternative to run it free of cost with OpenLiteSpeed and a free tier with the Enterprise version.
    Its a business with a free version, call it what you would like to. Offering a free version and free tier of the Enterprise version is just marketing.

    Their obligation is to keep it as secure as possible. I am not a coder at all but my understanding is that the vulnerability pointed here is really bad and no serious programmer would have done such basic mistake.

    Dont get me wrong @emgh, you may have never heard of their paid licenses and being part of LiteSpeed but it is what it is and these are just my 50cents. Yeah boy.

    Cheers

    Sure I guess you're right. I wouln't go so hard on him though this panel is probably not really anything that's profitable for them.

    I was very close to purchase a paid license. And close to move to CyberPanel. I am glad I did not. He needs to seek help from his colleagues to double check his code. I understand he/they may have good intentions but in the end, its for business and businesses rely on them too. Whether it is profitable or not its not our concern. At this moment it is not viable. I truly hope they figure it out as I actually like their panel and effort for building an alternative. Its such a responsibility though, even more when you are selling it.

    Thanked by 1emgh
  • HxxxHxxx Member
    edited July 2019

    He'll come around with fixes. He is probably fixing that code now. Hopefully. Is not like cPanel was perfect at any time anyways, but they were given time to fix it.

  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited July 2019

    I forgot to mention their Premium Cloud link in the header. Goes to www.cyberhosting.org, what a non sense.

    You cant even advertise CyberPanel as a Panel to your clients, they might just signup with cyberhosting.
    Yeah, a total business. Not sure about the complete affiliation with LiteSpeed. I was told that was the case from a very legit source. Still, profit from LiteSpeed and CyberPanel bundles and even more from the Premium Cloud.

    Sorry but, CyberPanel guy, stop selling it, advise your Premium Cloud customers to disable it for now and fix your damn shit.

  • cyberhosting is very confusing. first they touted platform optimization, then moved it entirely to paid cyberhosting

    Thanked by 1MikePT
  • PieHasBeenEatenPieHasBeenEaten Member, Host Rep

    @lonea I dont think that comment was called for. Suicide is not a matter to joke around with how ever way you put it.

  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited July 2019

    @cybertech said:
    cyberhosting is very confusing. first they touted platform optimization, then moved it entirely to paid cyberhosting

    Last comment here as I dont want to insist further.

    Totally agree with you.

  • lonealonea Member, Host Rep
    edited July 2019

    Why do you think I was joking ?

    There was no LOL, hahaha.

    Stating something that happened in the past doesn't mean it's a joke.

    Out of all things that's been said on here (racist things included), you are trying to call me out?

    Give me a break.

    PieHasBeenEaten said: @lonea I dont think that comment was called for. Suicide is not a matter to joke around with how ever way you put it.

  • intovpsintovps Member, Host Rep

    I'm just pointing some code that may put customers and businesses in danger. It's certainly a lot of work to develop a control panel. And I am not minimizing his effort.

    Thanked by 1MikePT
  • Hello

    So after the cPanel price hike, many people requested a security review of CyberPanel from Patrick (rack911labs). 2 days ago he sent us a detailed report of the issues in CyberPanel.

    So we started working on fixing them. Just to clear some confusions.

    1. Some people think that CyberPanel runs as root or sudo user because some commands use sudo in them. CyberPanel itself does not run as root or sudo user, however, since it is an old code sudo still remains as part of some commands.

    So for functions that require root escalation CyberPanel contact LSCPD daemon which runs as root (it is a modified version of OpenLiteSpeed) which then runs the commands. However some functions can be run not as root, we have reviewed and adjusted in this release. LSCPD can drop privileges to run those commands.

    For communication, UDS socket is used with an authorization token.

    1. There was input sanitization earlier as well but it turns out to be not enough. Sanitization was not at function level it was performed using DJANGO middleware. But it is much better now.

    2. We've thoroughly gone through the mentioned issues and produced quick release to address those issues. Summary of what we've done

    • All the functions available to normal users that require shell now run as that user by passing external app user to drop privileges through LSCPD.
    • Strong sanitization.
    • Some functions are further split where root escalation is required they are then called with root privileges.

    We have just released the version, due to major changes there might be minor bugs here and there, but we can quickly fix them as soon as something is pointed out.

    1. For MySQL CyberPanel uses DJANGO ORM. There are some instances where raw queries are used, but they are looked out for.

    Since this is a quick release to cover the majority of things they discovered (we are very thankful for that). We will dig deeper to do more thorough reviews. Any feedback is appreciated and we'll try to fix ASAP. Meanwhile, we encourage everyone to upgrade to this safer version.

    We also thank the great community support, that really motivates us to make CyberPanel better and more secure.

    Finally, much thanks to Rack911labs. Will further reach out to Rack911labs for further review of changes to make sure everything is in the right order.

    Thank you.

  • HxxxHxxx Member

    Look at you, good job.

  • niceboyniceboy Veteran

    @cyberpersons, is there any guide on how to use apache as proxy with cyberpanel? Is this exclusive to your cyberhosting hosting company?

  • intovpsintovps Member, Host Rep

    @cyberpersons great attitude. Congrats and good luck with your project!

  • @niceboy said:
    @cyberpersons, is there any guide on how to use apache as proxy with cyberpanel? Is this exclusive to your cyberhosting hosting company?

    Hi @niceboy currently we have a discussion on the forum about it, feel free to come and participate https://forums.cyberpanel.net/discussion/1485/apache-as-backend

Sign In or Register to comment.