Results 1 to 25 of 37
-
10-16-2009, 02:16 PM #1Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
veportal 2 major security concerns
I'm starting to test out VPS panels and found vePortal 2. I purchased it and installed it. Now I'm checking some security, as we all know about the terrible result of HyperVM as everyone blindly used it because it was "pretty" but it was not secure.
Some serious concerns I'd like to share with vePortal 2.
1) It makes no backups of any of the files it modifies during install, or so I haven't seen any, like httpd.conf.... more of a pain than anything. There is no way to auto uninstall it either..
2) vePortal gives full root access to the Apache user, letting apache run any root commands!
They add this to your /etc/sudoers
apache ALL=(root) NOPASSWD:ALL
[root@nd11108 myadmin]# su -s /bin/sh apache -c "whoami"
apache
[root@nd11108 myadmin]# su -s /bin/sh apache -c "sudo whoami"
root
This is a root exploit waiting to happen. I asked them about this and got the response.
It would be a security breach if a) apache was allowed SSHD Access, or b) the server was running scripts that havn't been marked secure, We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.
All panels in one way or another have root control over the system, for example they wouldnt be able to have a SSH Console without it, as only specified commands would work, we do have a list of the commands required by vePortal if you wish to limit it, but the console and the Shell Commander functions would stop working.
Regards,
Gavin H.
Chief Information Officer
That's funny I have been using the panel a few minutes and already found they've ignored the biggest security hole possible..
3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....
4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
5) I forgot to add, it doesn't recognize ANY OpenVZ Vps's you've created manually. It has no idea they exist and you cannot view them at all.
I'm sure I could dig deeper into the source code and find more but it's not worth it. Judging by what I found without actually trying to spend time on security I completely removed the product.
The panel does look nice but it sure gets a mark of insecure for me, I would advise others seriously look into the security of this new panel if you're considering using it.
-SteveLast edited by Ramprage; 10-16-2009 at 02:24 PM. Reason: added #5
-
10-16-2009, 02:26 PM #2WHT Addict
- Join Date
- Apr 2009
- Posts
- 126
Good finds. I hope the developers repair these issues before its to late. We have not bothered testing these newer panels as of yet.
-
10-16-2009, 02:49 PM #3Temporarily Suspended
- Join Date
- Feb 2004
- Location
- USA
- Posts
- 1,572
Same here didn't get a change to try vePortal 2.0 yet.
-
10-16-2009, 03:02 PM #4Junior Guru Wannabe
- Join Date
- Oct 2009
- Posts
- 41
If someone has access to the admin area, I don't think they would bother injecting anything when they already pretty much have access to do whatever they want.
There are numerous other systems online that have take this same stance, yes it's ugly and not great, is it a security issue ?
I really don't think so.
The other way is to ... encrypt the file, security through obscurity is not security. Nearly all php scripts do this I can say Modernbill, Clientexec, and all your other billing systems do this. As the only way to access this file is if the attacker has access to the file ftp, ssh or whatever, in that case it's already over too.
-
10-16-2009, 03:56 PM #5Disabled
- Join Date
- Aug 2005
- Posts
- 443
Ouch. They don't get it, do they?
Originally Posted by veportal
Originally Posted by veportal
Originally Posted by veportal
Originally Posted by CookedNoodles
Originally Posted by CookedNoodles
Very nice post, Ramprage. The response from the developers should be a warning sign to anyone using this software.
Edit:
4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
I also agree about it running under the MySQL root user. Not very mindful imho.Last edited by jpetersen; 10-16-2009 at 04:01 PM.
-
10-16-2009, 04:54 PM #6Newbie
- Join Date
- Aug 2009
- Posts
- 15
To Whom it may concern, vePortal, LLC is working to resolve this issue starting right away, There are foundations under-way for the next release of the control panel.
Obviously your security is paramount to both yourselves and us. The Integrity of vePortal was not compromised in any way by the team of beta testers we put the panel before, There are reasons for using such measures, In the early days of development vePortal was asked to integrate shell consoles into the control panel.
We have however just employed two new members of staff to assist in adressing this issue, One who can ensure the integrity of the shell developments, And another for auditing vePortal Software pre-release.
As others have said, There is no immediate threat, The login system is very secure and without admin access the panel cannot be compromised.
vePortal was audited regularly during the security development stages, And on every release so far a new or enhanced layer of security has been added in. All opinions have been taken into account, And we are working for a new release of the panel to be made available within the next 12-24 hours.
Also if anyone manages to discover any security issues or bugs we are always waiting to be notified about this as we thrive to create a secure yet versatile Control panel.
Regards,
vePortal Management.
-
10-16-2009, 05:07 PM #7Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
I didn't get such a sugar coated response from vePortal privately.. actually I was told the exact opposite. So which is it, are you fixing the apache = root or not?
I try to help vePortal by telling this privately but they ignored me and proclaim that apache=root is secure, which is obviously not. There are reasons Apache adds a secondary user called Apache instead of simply running everything as root.
Somehow they think because this isn't a shared environment it isn't a problem?
Yes apache can run any command it requires,
How do you expect that other applications process their requests? There has to be a bridge between apache and the shell, IF this was a shared hosting enviroment then yes it would be a huge security hole, but all files are locked and your not able to upload/edit or cause a security hole from the web interface.
Im not sure how else you would expect the GUI to communicate with the back-end of the module.
Intimidation/Abuse is a violation of our EULA which you have also accepted on your first login, Threatening with reviews and/or chargebacks would be Intimidation and a violation of our policies.
Regards,
Gavin H.
Chief Information Officer
ghanson@veportal.com
vePortal, LLC.
http://www.vePortal.com
----------------------------------------------
Ticket ID: #886481
-
10-19-2009, 08:35 PM #8Newbie
- Join Date
- Aug 2009
- Posts
- 15
I can now confirm that admittidly a few days later than expected, There is a full and secure fix for this issue.
The new fix eliminates the use of apache for any commands being sent to back-end of vePortal and integrates the likes of suPHP and a fully reprogrammed core.
More Secure, More Stable and Fully Audited.
-
10-20-2009, 12:46 AM #9Web Hosting Master
- Join Date
- Jun 2006
- Location
- NYC / Memphis, TN
- Posts
- 1,454
≈ PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
≈ PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
≈ Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915
-
10-20-2009, 04:21 AM #10WHT Addict
- Join Date
- May 2009
- Posts
- 131
Hi ServerOrigin,
The client area has validation & sanitising on all input fields, Like we mentioned before, If somebody got into the admin panel XSS Vulnerabilities are the last of your problems and for that reason we didn't think it would be required. However saying that its no major task to add into the admin panel and it will be done in the next release.D.Woodvine
-
10-20-2009, 04:25 PM #11Web Hosting Master
- Join Date
- Jun 2006
- Location
- NYC / Memphis, TN
- Posts
- 1,454
≈ PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
≈ PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
≈ Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915
-
10-21-2009, 05:21 AM #12WHT Addict
- Join Date
- May 2009
- Posts
- 131
-
10-21-2009, 06:29 AM #13Web Hosting Guru
- Join Date
- Nov 2007
- Posts
- 256
I can agree that VePortal has major security issues. 1 of my nodes got hacked due to VePortal software luckily it didn't do any damage to the VPS info I had running on the machine however it took some time to remove the hack and implement some security measures to get passed it while we moved to solusVM. SolusVM has been the best VZ control panel I have ever used and our customers love it.
I think the security and bugs need to be worked out of VePortal before making it look nice. Also I have found to upgrade to V2 you have to now pay $14.95 instead of $7 what it used to be and you have to download it and install it again if you are wanting to upgrade.
-
10-21-2009, 06:32 AM #14Junior Guru
- Join Date
- Jun 2008
- Posts
- 205
"Threatening with reviews and/or chargebacks would be Intimidation and a violation of our policies."
Your lame policy is a violation.
Who do you think you are?
-
10-21-2009, 12:45 PM #15Web Hosting Master
- Join Date
- Oct 2007
- Location
- United States
- Posts
- 1,182
www.opticip.com - Optic IP LLC
-
10-21-2009, 01:43 PM #16Disabled
- Join Date
- Aug 2005
- Posts
- 443
With all due respect, you do not understand what XSS is, and how it can be taken advantage of. It is not necessarily something that you use once you've obtained access to a restricted resource. It is something that could possibly be used in order to obtain access to a restricted resource.
-
10-21-2009, 01:48 PM #17Web Hosting Master
- Join Date
- Apr 2000
- Location
- Nevada, US
- Posts
- 5,550
SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors
-
10-21-2009, 03:26 PM #18Newbie
- Join Date
- Aug 2009
- Posts
- 15
Hi, Can you please submit a support ticket backing this information up? For some reason i find it very hard to believe somebody had a VPS Node hacked without so much as a whisper. I'm not directly calling you a liar but its not something one would expect.
If you have a License from Pre v2 then you pay your usual price, ($7.50) or ($5 for a lucky few). People made complaints about downtime in licensing servers we had to impliment new measures including moving from our single VPS to several gloablly load balanced servers. Obviously this costs more, So for a higher rate of service a higher fee is charged. You get what you pay for.
Very Mature, However worded the end user accepts those terms.
-
10-21-2009, 03:59 PM #19Temporarily Suspended
- Join Date
- Feb 2004
- Location
- USA
- Posts
- 1,572
Whats the status of this? will be trying VePortal soon on a few test servers.
-
10-21-2009, 04:00 PM #20WHT Addict
- Join Date
- May 2009
- Posts
- 131
Such a resource that you would already have full access to if you was already given access to the administration panel right?
Im quite aware of XSS and its risks, I can see how its a very high priority within the User and Reseller Panels, However for a server admin you need to have been given access in order to run the XSS, And because of this it's a lower priority.
I Believe this is fixed in the next release of vePortal. Until now nobody has been and confirmed all potential security holes have been fixed, And so judgement shouldn't really be passed until they have done.D.Woodvine
-
10-21-2009, 04:01 PM #21WHT Addict
- Join Date
- May 2009
- Posts
- 131
-
10-21-2009, 05:50 PM #22Retired Moderator
- Join Date
- Feb 2005
- Location
- Australia
- Posts
- 5,849
Sorry Donna, but with every comment you make you're demonstrating that you don't know what XSS is. FYI: XSS attacks take advantage of a genuine, innocent, authenticated user (a server admin in this case) by executing code on their browser to do something that the user would not do willingly. The attacker is typically an unprivileged user or visitor whose only access is the ability to submit something for the admin to read (say, a ticket or a request to open an account).
If you have / had XSS vulnerabilities in your system, you should be applying the highest priority to any that apply to the server admin because those have the potential to do most damage.Chris
"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter
-
10-22-2009, 10:22 AM #23Web Hosting Guru
- Join Date
- Jan 2006
- Location
- Sydney, Australia
- Posts
- 251
-
10-22-2009, 05:14 PM #24WHT Addict
- Join Date
- Dec 2002
- Posts
- 160
-
10-22-2009, 07:57 PM #25WHT Addict
- Join Date
- May 2009
- Posts
- 131
Well I work from what i know so far. As my sig shows, I'm only marketing, but what i do know is that the next release is with the auditors now, it shouldn't be too much longer before thats released and obviously XSS Checking is paramount on the list of checks there to perform.
D.Woodvine
Similar Threads
-
Windows Security Concerns
By zak31uk in forum Hosting Security and TechnologyReplies: 2Last Post: 09-14-2007, 09:35 PM -
Shared Hosting - Security Issues and Concerns
By dm_fw in forum Hosting Security and TechnologyReplies: 3Last Post: 09-16-2006, 02:58 AM -
AWStats and security concerns
By ArtieFishill in forum Hosting Security and TechnologyReplies: 5Last Post: 07-27-2005, 03:29 PM -
HELM : Feedback needed on security concerns
By nipl in forum Hosting Software and Control PanelsReplies: 1Last Post: 12-27-2003, 02:49 PM -
HELM : Feedback needed on security concerns
By nipl in forum Web HostingReplies: 3Last Post: 12-26-2003, 08:36 PM