MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Bugs and Requests => Topic started by: fossxplorer on 2014-04-22, 23:39:16
-
Mustafa: can you take a look at this as it could be a serious security problem:
when you access "SQL Manager" i see the request URL like /thirdparty/phpMyAdmin/?pma_username=myusername&pma_password=mypassword
"mypassword" is being sent in clear text! I assume that's not the intention?
-
Yes, it's no problem because only you see this url.
-
Now that's funny. Are you serious? REALLY?
Yes that is a security concern! Only way it is not is if you use https, as GET requests in the url are not sent until after the encryption starts.
I force all clients to use https for KloxoMR panel.
-
HI,
Mustafa: can you take a look at this as it could be a serious security problem:
when you access "SQL Manager" i see the request URL like /thirdparty/phpMyAdmin/?pma_username=myusername&pma_password=mypassword
"mypassword" is being sent in clear text! I assume that's not the intention?
This problem is not new.
Thats not the intention, ofcourse. But, in Kloxo-MR, there exists a little closed world of Mustafa related to security, which he believes is valid and correct.
In 2008, I had a fight on the telefone with Ligesh, the creator of lxadmin and developer of Kloxo, when he blatantly refused to recognize my security concerns. Later he killed himself.
I have never used phpMyAdmin.
-
In Kloxo official, all button links in panel in javascript format (so it's impossible to right-click and then click 'open in new tab'). In Kloxo-MR, all button links change to plain url (make possible to right-click).
Both of them the same mechanism to login to phpmyadmin (as the same as with 'get' instead 'post').
In this context, no problem in Kloxo-MR panel side but how to make 'more secure' in phpmyadmin side. That it.
-
In Kloxo official, all button links in panel in javascript format (so it's impossible to right-click and then click 'open in new tab'). In Kloxo-MR, all button links change to plain url (make possible to right-click).
Yes, thats true. But this problem existed in Kloxo as well since many years.
You changed it a bit to make it better, not in all areas.
-
I forgot.
How about using a totally different redirection method which may secure the transfer beyond the technology implemented now?
-
I will change to 'post' instead 'get' for external link (example for phpmyadmin login).
As we know, 'post' more hard to 'crack' rather than 'get'.
But, the problem is in phpmyadmin rather Kloxo-MR panel. If possible, better limiting phpmyadmin login with 'no permit from remote'.
-
It looks like commit c0dc7e73f3a47223a3bc215072298cbcbe7d3bc5 changes this. Waiting for RPM updates :)
Updated to 2014042202.mr and the problem is partially gone. Now i only see the password in clear text when i hover over "SQL Manager". Also, the password was in /usr/local/lxlabs/kloxo/log/hiawatha-access.log earlier and but after this update :)
Thank you Mustafa for taking immediate action to such security concerns.
Perhaps it time to say the following:
As i might have stated before, coming from cPanel/WHM, i was initially intrigued by Kloxo-MR for it's support for Nginx/proxy etc.
I gave it a try and i started to like it a lot since it's userfriendly and flexibility is huge, but at the same time at the cost of some simplicity offered by e.g cPanel.
Now i've invested a lot of time to learn and get things right and Mustafa is assisting very good so it's a good sign Kloxo-MR will have a good future.
One more thing i'd like to point out is that Kloxo-MR should strive to be PCI DSS compatible like cPanel/WHM hosters (of course there are other things that have to comply except the panel it self).
I urge everyone here to support this project by donating a small amount monthly. I've started, but after getting rid of cPanel, i'll regularly support this project.
Again, thank you Mustafa for you great work.
-
Hi Mustafa,
I will change to 'post' instead 'get' for external link (example for phpmyadmin login).
As we know, 'post' more hard to 'crack' rather than 'get'.
Coming to anathor point, as a subset of this discussion.
Gone are those days when we needed non-secured connections. Many companies just uses https totally. Mustafa, why dont you just ABORT EVERY AREA THAT USES NON-SECURED CONNECTIONS?
There is really no reason to have 7778, etc. possibility. Everything _MUST_ GO THROUGH SSL. Now the default SSL is working properly. So just eradicate http://domain.tld/7778 completely.
I suggest to have an enhanced configuration of SSL Home which may give a very good overview of all SSL certificates used, or to be used, and assist an administrator to apply it.
-
Good point which i was supposed to write, but forgot on my previous post.
Inspired by @chrisf's post, we should only permit customers to use SSL.
There is really no reason to have 7778, etc. possibility. Everything _MUST_ GO THROUGH SSL. Now the default SSL is working properly. So just eradicate http://domain.tld/7778 completely.