Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-07-16, 11:45:32

Author Topic: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001  (Read 33947 times)

0 Members and 1 Guest are viewing this topic.

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #30 on: 2014-01-31, 00:56:38 »
THIS IS GETTING WORSE!  The entire KloxoMR panel now runs under root.  The guys from R911 tore through KloxoMR in seconds.

Are you working on this Mustafa?
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #31 on: 2014-01-31, 03:27:48 »
For those using KloxoMR for shared, can you implement this for apache and proxies?

http://www.linux-faqs.info/apache/running-apache-in-chroot-jail

This would mitigate file system attacks, scripts would be unable to access below /home/
This would also prevent a perl script from putting a file in /usr/local/lxlabs/kloxo/httpdocs, stopping a local root escalation through IP:7778. 

This is a good solution to start.  More work needed.
« Last Edit: 2014-01-31, 04:10:10 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #32 on: 2014-01-31, 07:23:14 »
Mustafa have you reviewed the chroot jail for Apache?
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline farrow

  • Junior Member
  • *
  • Posts: 26
  • Karma: +1/-5
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #33 on: 2014-01-31, 11:32:18 »
For those using KloxoMR for shared, can you implement this for apache and proxies?

http://www.linux-faqs.info/apache/running-apache-in-chroot-jail

This would mitigate file system attacks, scripts would be unable to access below /home/
This would also prevent a perl script from putting a file in /usr/local/lxlabs/kloxo/httpdocs, stopping a local root escalation through IP:7778. 

This is a good solution to start.  More work needed.

WOW, Your like a kid.
Anything that doesn't go your way you throw your rattle out of your pram.
Your making posts all the time, YOU NEVER LEAVE THE GUY ALONE.
I would rather wait and take advice from Mustafa than listen to you. Personally I don't think you know much only know how to bitch and use Google.

Offline skr

  • Junior Member
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #34 on: 2014-01-31, 11:33:27 »
Hi,

Please advice me How to update to 6.5.0.f/6.5.1.a Kloxo-Mr in SSH.I have no idea about it

Thanks

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #35 on: 2014-01-31, 11:58:50 »
Run 'yum clean all; yum update; sh /script/cleanup'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #36 on: 2014-01-31, 18:45:41 »
@Farrow, this is not a forum for idiotic chit chat, and personal attacks, pm me if you got something to say to me.

You and most of the users of KloxoMR really don't understand just how easy it was for a security consulting business, R911, to make KloxoMR worthless in seconds.

I take this VERY seriously, because I have clients who rely on me to keep their information/sites online and safe.  I TAKE THIS VERY. SERIOUS.

And as far as me blindly following Mustafa, even though he is a great system integrator, it is my opinion he doesn't take security as serious as he should.  Ever heard of the name Ligesh?  Great programmer, brilliant man.  Google that @Farrow.

So Mustafa, what you think about chroot jail Apache?  Perl exploit would have no effect.  What you think?

Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline farrow

  • Junior Member
  • *
  • Posts: 26
  • Karma: +1/-5
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #37 on: 2014-01-31, 18:59:45 »
@Farrow, this is not a forum for idiotic chit chat, and personal attacks, pm me if you got something to say to me.

You and most of the users of KloxoMR really don't understand just how easy it was for a security consulting business, R911, to make KloxoMR worthless in seconds.

I take this VERY seriously, because I have clients who rely on me to keep their information/sites online and safe.  I TAKE THIS VERY. SERIOUS.

And as far as me blindly following Mustafa, even though he is a great system integrator, it is my opinion he doesn't take security as serious as he should.  Ever heard of the name Ligesh?  Great programmer, brilliant man.  Google that @Farrow.

So Mustafa, what you think about chroot jail Apache?  Perl exploit would have no effect.  What you think?

I'm sorry if you think it was a personal attack, it wasn't, I just think your advice is second hand.
A quick question, you say you take it serious but are you using kloxoMR for your clients? even when you know it has security issues.   

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #38 on: 2014-01-31, 19:25:30 »
@Farrow, pm sent.  I already stated, if you want to debate or question me, do it in pm.  This post is about making KloxoMR more secure.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline befree22

  • Valuable Member
  • *
  • Posts: 95
  • Karma: +0/-1
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #39 on: 2014-01-31, 19:52:20 »
You are missing the point, yes creating a file saves it as owner.  But becauae file manager uses root, it can change permission, delete, any file.  If a user finds a way to get it to display sensitive directories, by exploit or however, file manager is dangerous.

It is not all right.  You should consider my solution.

This is EXACTLY how my sites were hacked. The wp-config.php file was BLANK because the criminal hacker REMOVED all code from this critical file. I reported this "root" user bug but Mustafa doesn't care about security or applying intelligent suggestions. This is why I'm researching Webmin because security is the MOST important aspect of any website.

If he wants KloxoMR to succeed, he needs to work with a good development team and beta testers who actively work to secure KloxoMR.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #40 on: 2014-01-31, 20:12:29 »
@befree22,

Your issue not related to 'root user'. In this 'root user' issue related to php52s/hiawatha running in 'root user' (already fixed).

Your issue related to 'open_basedir'. Without limiting access by 'open_basedir', it make (for example) execute 'include_once("/home/user1/domain1.com/file1.php")' in php file inside '/home/user2/domain2.com'. This issue also already fixed where include_once only possible no more higher than '/home/user2'.

That it.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #41 on: 2014-01-31, 20:30:11 »
Why no response about Apache chroot jail?  This is good security measure don't you think?
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #42 on: 2014-01-31, 20:32:14 »
Why no response about Apache chroot jail?  This is good security measure don't you think?
I am still think this method needed. If apache using chroot and then what about other webserver (nginx/lighttpd/hiawatha)?.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #43 on: 2014-01-31, 20:38:00 »
proxy should be protected by this since perl is interpreted by Apache.  I am not sure.  This is why I ask you :)

think of Apache jailed chroot for shared hosting, others for personal hosting.  if proxy works, then most shared hosting would want Apache backend for .htaccess and mod_rewrite.  I think it is a win win situation.

This would stop ALL file system attacks by clients.  I am researching, doesn't seem too hard to implement.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline matt

  • Junior Member
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: [SECURITY] Please update to 6.5.0.f/6.5.1.a to 2014013001
« Reply #44 on: 2014-02-01, 12:26:20 »
Is the problem still exist? My server got suspended due to kloxo installation  :o . See this:

Quote
Due to a recent SQL injection attack on Kloxo, It is no longer allowed on our network. Your container has been suspended for security reasons.

Any help?

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo

Page created in 0.063 seconds with 16 queries.

web stats analysis