Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Does any one use the Solus API key to manage the VMs?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Does any one use the Solus API key to manage the VMs?

rchurchrchurch Member
edited October 2012 in Help

Does any one use the Solus API key to manage the VMs?

I have more URLs, user names and passwords than I care to remember.

Comments

  • I believe @seikan has something to offer - SolusVMController (http://solusvmcontroller.com/).

  • I use API access through aSolusVM on Android to check up on my flock occasionally, but it's pretty basic, only shows boot status and allows you to reboot if needed. It would be nice to see memory stats, but I also have Shinken/Nagios for that.

    There was a thread here recently on how to track login info for all your VPSes; just use a password manager and/or encrypted spreadsheet.

    Best,

  • @eLohkCalb said: I believe @seikan has something to offer - SolusVMController (http://solusvmcontroller.com/).

    Oh wow, that looks really nice actually.

  • I evaluated SolusVMController. Unfortunately, SolusVMController has several security issues that I reported to the developer almost a year ago, including suggestions for how to fix them. As far as I know, these vulnerabilities have not been addressed. Specifically, one vulnerability can give anyone complete access to the control panel, with admin privileges. The other vulnerability is a file inclusion vulnerability, which could, under some circumstances, result in an attacker gaining administrator privileges to the panel.

    Thanked by 1rchurch
  • Is there anything else out there that resembles what solusvmcontroller does?

  • RandyRandy Member
    edited October 2012

    Its a all in one control panel that allows you to manage all your vps from different providers as long as all the host uses solusVM

  • @NickM Can you enlighten us as to what the problems are? Some of us might want to try it and fix them if they work well enough

  • @rchurch: Here are the two problems that I found. There may be more, but these two immediately jumped out at me.

    The first vulnerability is in the handling of file includes in index.php. index.php?q=../../../../path/to/file results in the file /path/to/file.php being included. If another person is able to upload a PHP script to the web server (via another vulnerability, or on a shared hosting server, if they're able to set their script as world readable), that file can then be included, and execute with the same permissions that SolusVMController is being run as. Suggested mitigation: use a switch with only the valid values for "q" (vps, about, group, etc...), and fall back to "vps" as the default case.

    The second vulnerability: The .tab files containing the settings, usernames, and passwords, are, by default, stored in a publicly accessible directory. The steps that have been taken to ensure that they are not easily readable (first 10 characters of a SHA1 hash prepended to the filename) are not sufficient to prevent an attacker from reading them. An attacker with widely available hardware (any desktop PC made in the past 5 years, or even a cheap VPS) connected to a sufficient internet connection could easily exhaust these possibilities in as little as a few days or less (assuming that the web server can handle the load). Mitigation: store the .tab files in a directory that is outside of the web server's document root.

    Thanked by 1craigb
  • @nickm scary finds and no fixes from the dev...shame :(

  • @craigb said: shame :(

    Yeah, it's unfortunate. I was going to try it out because it's a good idea, and I have like 10 VPSes, so it's nice to have them all in one place. I stopped looking at it after I discovered those two problems, because it was no longer worth my time, so there's probably other issues too.

    Thanked by 1rchurch
  • @seanho: aVPS for Android shows all the stats for an OpenVZ based VPS.

    The link on Google play: https://play.google.com/store/apps/details?id=com.chilerocks.vps

    Has ads though.

  • @NickM said: Mitigation: store the .tab files in a directory that is outside of the web server's document root.

    Or just store it as .tab.php...

  • DewlanceVPSDewlanceVPS Member, Patron Provider

    For security reason don't use any 3rd party Google Apps or any other 3rd party apps to manage your VPS from SolusVM Admin Account.

  • What?

  • @DewlanceVPS
    Google apps?
    Anyway thanks for your "professional" advice, I'll "totally" buy from Dewlance next time when I need a VPS

  • @NickM Thanks for the vulnerability problems reported. Sorry for the delay as I'm working with other projects. Also, the coming version of SolusVMController will using MySQL database.

    Initially, SolusVMController is build for personal use and running under a 128MB VPS. At that time I just try to keep everything in text file to lower resource usage without think of security issues yet. Since more people are interested on this, I will put more affords on this. The project is open sourced, everyone can try to contribute and fix it :)

    Thanked by 1rchurch
  • @NickM said: The first vulnerability is in the handling of file includes in index.php. index.php?q=../../../../path/to/file results in the file /path/to/file.php being included.

    Need you advise on this, can you reproduce this vulnerabity at http://demo.solusvmcontroller.com/?q=login and show me the link?

    I'm not able to reproduce it from my side.

  • @colm : Thanks, yes I saw aVPS and it looked promising, but I was a bit shy to give my API keys to a developer I don't know. Always good to have options, though!

  • rchurchrchurch Member
    edited October 2012

    @seikan Consider using sqlite if you think using a SQL database is necessary, as it requires less resources intensive and has fewer dependencies. MySQL is more meaningful if database needs to be accessed remotely

  • I use the Solus API to retrieve bandwidth from all my VPSes and then send me an email if any of them are 90% over their monthly transfer allocation. I wish the other panels, like VPSgrid, had API functionality.

  • DewlanceVPSDewlanceVPS Member, Patron Provider

    @Chan said: Google apps?

    Sorry, I mean Google Play Apps (Android Apps)

  • @rchurch said: @seikan Consider using sqlite if you think using a SQL database is necessary...

    Thanks, I'm working with this now :)

  • fresher_06fresher_06 Member
    edited December 2012

    @seikan .. any success with sqlite implementation of solusvmcontroller? .. this is an amazing web app .. thanks for all the great work done here .

  • @seikan did you fix the vulns?

  • @fresher_06
    I gave up with SQLite and now working with MySQL version. It's 90% completed and will release within few weeks time.

    @DeanClinton
    1. For the "includes" vulnerability, it does not exist.
    2. For the attacks to your .tab file, you can block HTTP access to all .tab files by htaccess in apache.

    Apache:

    <FilesMatch "*\.tab$">
         Order Allow,Deny
         Allow from all
    </FilesMatch>

    Nginx:

    server {
    .
    .
            location ~* \.tab$ {
                    deny all;
            }
    .
    .
    }

    I hope it's helped.

Sign In or Register to comment.