All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Zpanel security risk (maybe) can execute daemon.php via Web Browser
Zpanel security risk (maybe) can execute daemon.php via Web Browser
just this from http://forums.zpanelcp.com/thread-9884.html
i am sharing it here.
xekhz said:
daemon.php - /etc/zpanel/panel/bin/
I can execute daemon.php located in /etc/zpanel/panel/bin/daemon.php via webBrowser.
http://IPADDRESS/bin/daemon.ph
it disclosures a bunch of information.
Shouldnt exist an .htaccess not permiting file access in /etc/zpanel/panel/bin/ directory
thanks
ballen said:
RE: daemon.php - /etc/zpanel/panel/bin/
Yes, absolutely... no quite sure how this got though but I'll get this added to the .htaccess file!
Just for others reading this thread, the information that this discloses is the output of what you see when you run the daemon manually (duh lol) so although it does disclose local server paths to hosting directories, hosted domain names and log file locations this doesn't disclose 'personal information' as such so although this will be fixed ASAP I do not deem this as a 'security risk' as such.
Cheers,
Bobby
TumTum said:
RE: daemon.php - /etc/zpanel/panel/bin/
For people:
Add: RewriteRule ^bin/daemon.php$ [L]
in /etc/zpanel/panel/.htaccess
With this rule, the daemon is blocked in your webbrowser.
So SSH: php -q /etc/zpanel/panel/bin/daemon.php
This works too for full bin directory + file:
RewriteRule ^(bin/) - [F,L,NC]
Or send the abuser to a funny website:
Redirect 301 /bin/daemon.php http://frankly.pitas.com/
But you will fix issues like this in the next release? Because for other users it is maybe a security risk.
ballen said:
Absolutely, this will be blocked in the next release (goes without saying Smile)
Cheers,
Bobby
Bobby Allen
ZPanel Head Developer & Project Leader
---- this is the fix i used --------
MathDerVakker said:
My solution:
If you want to block all direct access to daemon but still want the daemon to work in Zpanel itself.
Just put this .htaccess file in the 'bin' directory (on Centos: /etc/zpanel/panel/bin)
AuthType Basic <LIMIT GET> order deny,allow deny from all allow from localhost allow from 127.0.0.1 </LIMIT>
Comments
Why am I not surprised...
There is a whole thread on here on why not to use zpanel.
http://lowendtalk.com/discussion/10391/the-security-trainwreck-that-is-zpanel
ahhh there it is! ^^
As such, you are frankly an idiot for using it....
Mun
The security issue is information disclosure (hosted domain names and log file paths). It's an issue but not a severe one.
They just keep getting comfortable thinking it's production ready when it just isn't. It has a ton of potential, if they'd work harder. Charge money, close the source, if that's what you have to do. Half assing it just isn't an answer.
I think nobody in their right mind should/would buy it if it's closed source, because of the [past] security risks. Oh well except people still use WHMCS and SolusVM, so maybe they would. I know I wouldn't