Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 08:58:55

Author Topic: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001  (Read 31868 times)

0 Members and 1 Guest are viewing this topic.

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #15 on: 2014-01-30, 11:47:22 »
No one, but I have done all this through filemanager.  That perl script will run via browser if in cgi-bin of client
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #16 on: 2014-01-30, 11:50:45 »
Quickest fix Mustafa is to display only files owned by client/user.  If admin,  under server filemanager,  display all files.

And sanity check permission editor, only change permissions if owned by client, unless admin.
« Last Edit: 2014-01-30, 11:54:42 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #17 on: 2014-01-30, 11:54:01 »
No one, but I have done all this through filemanager.  That perl script will run via browser if in cgi-bin of client
So, you access via 'http://domain.com/cgi-bin/exploit.pl'?. Also 'http://domain.com/exploit.php'?
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #18 on: 2014-01-30, 11:55:43 »
cgi-bin yes.  Php no, open base dir error.

My solution above would not be so hard to implement.  Peace of mind, and would stop fooling around.
« Last Edit: 2014-01-30, 11:58:21 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #19 on: 2014-01-30, 12:13:58 »
FYI, I am using 'hiawatha-proxy'. So, are you using the same?.

..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #20 on: 2014-01-30, 12:32:51 »
Nginx-proxy.

Mustafa, we waste too much time back and forth - I support KloxoMR,  I have been around prior to the tragedy of Ligesh and Kloxo being open source.  I am trying to help.  I am good at what I do.  I do not know everything, and look to others when need be.  You have saved me before, and I have figured out things for you.

My suggestion to you is this, so you don't have to rewrite entire file manager.

1. Display only files owned by the client logged in.
2. Sanity check permission editor to only allow changes from owner
3. Sanity check any file being saved, must be owner.

if logged in as admin, under server file manager, allow all files and all changes (no restrictions).

It is 6am in US, been awake all night with this, please consider my suggestions, they would not be so hard to code.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #21 on: 2014-01-30, 12:41:35 »
I didn't have problem with filemanager. If login via 'admin', create new file already with 'admin' as owner. If login via 'tester', create new file already with 'tester' as owner.

So, I think filemanager work running after update to 6.5.1.a-2014013001.

For php, using open_basedir (declare in php-fpm config for php-fpm) make strict directory access for php. Still investigate the same function (open_basedir) for perl.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #22 on: 2014-01-30, 12:47:35 »
You are missing the point, yes creating a file saves it as owner.  But becauae file manager uses root, it can change permission, delete, any file.  If a user finds a way to get it to display sensitive directories, by exploit or however, file manager is dangerous.

It is not all right.  You should consider my solution.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #23 on: 2014-01-30, 13:07:32 »
Access filemanager:

1. 'Admin > server > filemanager' --> save always as 'root'
2. 'Admin > filemanager' --> save always 'admin'
3. 'Admin > Clients > [Tester] > filemanager --> save always 'tester'.
4. 'Tester > filemanager --> save always 'tester'.

All accesses always change permissions.

So, what's a problem is?.
« Last Edit: 2014-01-30, 13:10:56 by MRatWork »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #24 on: 2014-01-30, 13:15:52 »
And what's the reason sanity for 'ownership'?.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lupetalo

  • Senior Member
  • *
  • Posts: 182
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #25 on: 2014-01-30, 16:57:38 »
Quote
And what's the reason sanity for 'ownership'?.
And what is the reason for not listening to chrisf and making file manager NOT run ad root....
Yet again you dont listen to others and not accepting help, but blindly yelling that everything works...

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #26 on: 2014-01-30, 17:38:55 »
Quote
And what's the reason sanity for 'ownership'?.
And what is the reason for not listening to chrisf and making file manager NOT run ad root....
Yet again you dont listen to others and not accepting help, but blindly yelling that everything works...
No reason to sanity for 'ownership'. Better concentration to how to limiting php/perl access to certain directories only.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #27 on: 2014-01-30, 21:17:22 »
I agree, we need to chroot or jail users in their home directories.

You are misunderstanding me.  PM me login for a tester client and using file manager I will shut the server down. 

The sanity check stops any unknown exploit.  You are missing the entire idea of security, sanitation, and stopping exploits prior to happening.  File manager can access any file, because it runs as root.

There is no need to debate this, you should fix this immediately.   My sanity checks, they stop unknown exploits and bring KloxoMR admins peace of mind.

As of right now, ANY KloxoMR installation can be destroyed.  Think about that.  I am very disappointed you would rather say no then to implement security measures.

I have a server with 30 clients.   They are not secure, and that bothers me!
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #28 on: 2014-01-30, 22:07:01 »
The same goes to shell access. If you have mc installed then you will be able to go outside users directory !

Offline insanity

  • Senior Member
  • *
  • Posts: 215
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #29 on: 2014-01-30, 22:12:04 »
Yes, because all users are under apache group. If you create symlink in home/domain/symlink-folder and point it to home/domain2/some-folder you will be able to edit all files.
« Last Edit: 2014-01-30, 22:15:15 by insanity »

 


Top 10 Social Networking:    Facebook    Twitter    LinkedIn    Pinterest    Google Plus    Tumblr    Instagram    VK    Flickr    Vine
Click Here

Page created in 0.079 seconds with 22 queries.

web stats analysis