Page 1 of 2 12 LastLast
Results 1 to 25 of 37
  1. #1
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588

    Exclamation veportal 2 major security concerns

    I'm starting to test out VPS panels and found vePortal 2. I purchased it and installed it. Now I'm checking some security, as we all know about the terrible result of HyperVM as everyone blindly used it because it was "pretty" but it was not secure.

    Some serious concerns I'd like to share with vePortal 2.

    1) It makes no backups of any of the files it modifies during install, or so I haven't seen any, like httpd.conf.... more of a pain than anything. There is no way to auto uninstall it either..

    2) vePortal gives full root access to the Apache user, letting apache run any root commands!
    They add this to your /etc/sudoers
    apache ALL=(root) NOPASSWD:ALL

    [root@nd11108 myadmin]# su -s /bin/sh apache -c "whoami"
    apache
    [root@nd11108 myadmin]# su -s /bin/sh apache -c "sudo whoami"
    root

    This is a root exploit waiting to happen. I asked them about this and got the response.

    It would be a security breach if a) apache was allowed SSHD Access, or b) the server was running scripts that havn't been marked secure, We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.

    All panels in one way or another have root control over the system, for example they wouldnt be able to have a SSH Console without it, as only specified commands would work, we do have a list of the commands required by vePortal if you wish to limit it, but the console and the Shell Commander functions would stop working.

    Regards,
    Gavin H.
    Chief Information Officer

    That's funny I have been using the panel a few minutes and already found they've ignored the biggest security hole possible..

    3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....

    4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....

    5) I forgot to add, it doesn't recognize ANY OpenVZ Vps's you've created manually. It has no idea they exist and you cannot view them at all.

    I'm sure I could dig deeper into the source code and find more but it's not worth it. Judging by what I found without actually trying to spend time on security I completely removed the product.

    The panel does look nice but it sure gets a mark of insecure for me, I would advise others seriously look into the security of this new panel if you're considering using it.

    -Steve
    Last edited by Ramprage; 10-16-2009 at 02:24 PM. Reason: added #5

  2. #2
    Good finds. I hope the developers repair these issues before its to late. We have not bothered testing these newer panels as of yet.
    mainstreamnetworks.net
    Instant vps setup
    Cpanel/WHM Direct Admin

  3. #3
    Join Date
    Feb 2004
    Location
    USA
    Posts
    1,572
    Same here didn't get a change to try vePortal 2.0 yet.

  4. #4
    Join Date
    Oct 2009
    Posts
    41
    Quote Originally Posted by Ramprage View Post
    3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....
    If someone has access to the admin area, I don't think they would bother injecting anything when they already pretty much have access to do whatever they want.
    There are numerous other systems online that have take this same stance, yes it's ugly and not great, is it a security issue ?
    I really don't think so.


    Quote Originally Posted by Ramprage View Post
    It stores the MySQL root password in clear text in a .php file... yeah that's real secure
    The other way is to ... encrypt the file, security through obscurity is not security. Nearly all php scripts do this I can say Modernbill, Clientexec, and all your other billing systems do this. As the only way to access this file is if the attacker has access to the file ftp, ssh or whatever, in that case it's already over too.

  5. #5
    Quote Originally Posted by Ramprage View Post
    They add this to your /etc/sudoers
    apache ALL=(root) NOPASSWD:ALL
    Ouch. They don't get it, do they?

    Quote Originally Posted by veportal
    It would be a security breach if a) apache was allowed SSHD Access
    It's very naive of them to think that "ssh access" is the only way to gain access to other accounts.

    Quote Originally Posted by veportal
    or b) the server was running scripts that havn't been marked secure
    The reality of the situation is that tons of people run scripts that they have not had professionally audited. Hell, most developers never take the time to have their own code professionally audited. Why waste money, right guys?

    Quote Originally Posted by veportal
    We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.
    It's already broken by design.

    Quote Originally Posted by CookedNoodles
    If someone has access to the admin area, I don't think they would bother injecting anything when they already pretty much have access to do whatever they want.
    If someone has access to the admin area and you can trick their web browser into performing an action they would not otherwise be willing to do, then there is a problem. Furthermore, code riddled with XSS issues is often a telltale sign that the developers may be inexperienced with creating secure software, which could mean other higher risk bugs.

    Quote Originally Posted by CookedNoodles
    The other way is to ... encrypt the file, security through obscurity is not security.
    Encryption is not obscurity. Security through obscurity would be doing something like leaving the password in plain text, but making the file name random on each server. Anyone with access to the filesystem could still obtain the password, they just need to find the file. Once the file was found, the password could be recovered. However, if the password was encrypted, then the password would not (should not) be able to be recovered anyway. Another example of obscurity would be storing passwords in a base64 encoded format, which is what LxAdmin/Kloxo did (and I assume HyperVM).


    Very nice post, Ramprage. The response from the developers should be a warning sign to anyone using this software.


    Edit:

    4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
    Out of curiosity, is it a world readable file?

    I also agree about it running under the MySQL root user. Not very mindful imho.
    Last edited by jpetersen; 10-16-2009 at 04:01 PM.

  6. #6
    To Whom it may concern, vePortal, LLC is working to resolve this issue starting right away, There are foundations under-way for the next release of the control panel.
    Obviously your security is paramount to both yourselves and us. The Integrity of vePortal was not compromised in any way by the team of beta testers we put the panel before, There are reasons for using such measures, In the early days of development vePortal was asked to integrate shell consoles into the control panel.

    We have however just employed two new members of staff to assist in adressing this issue, One who can ensure the integrity of the shell developments, And another for auditing vePortal Software pre-release.

    As others have said, There is no immediate threat, The login system is very secure and without admin access the panel cannot be compromised.

    vePortal was audited regularly during the security development stages, And on every release so far a new or enhanced layer of security has been added in. All opinions have been taken into account, And we are working for a new release of the panel to be made available within the next 12-24 hours.

    Also if anyone manages to discover any security issues or bugs we are always waiting to be notified about this as we thrive to create a secure yet versatile Control panel.

    Regards,
    vePortal Management.

  7. #7
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    I didn't get such a sugar coated response from vePortal privately.. actually I was told the exact opposite. So which is it, are you fixing the apache = root or not?

    I try to help vePortal by telling this privately but they ignored me and proclaim that apache=root is secure, which is obviously not. There are reasons Apache adds a secondary user called Apache instead of simply running everything as root.

    Somehow they think because this isn't a shared environment it isn't a problem?

    Yes apache can run any command it requires,
    How do you expect that other applications process their requests? There has to be a bridge between apache and the shell, IF this was a shared hosting enviroment then yes it would be a huge security hole, but all files are locked and your not able to upload/edit or cause a security hole from the web interface.

    Im not sure how else you would expect the GUI to communicate with the back-end of the module.

    Intimidation/Abuse is a violation of our EULA which you have also accepted on your first login, Threatening with reviews and/or chargebacks would be Intimidation and a violation of our policies.

    Regards,
    Gavin H.
    Chief Information Officer
    ghanson@veportal.com
    vePortal, LLC.
    http://www.vePortal.com

    ----------------------------------------------
    Ticket ID: #886481

  8. #8
    I can now confirm that admittidly a few days later than expected, There is a full and secure fix for this issue.

    The new fix eliminates the use of apache for any commands being sent to back-end of vePortal and integrates the likes of suPHP and a fully reprogrammed core.

    More Secure, More Stable and Fully Audited.

  9. #9
    Join Date
    Jun 2006
    Location
    NYC / Memphis, TN
    Posts
    1,454
    Quote Originally Posted by vePortal View Post
    I can now confirm that admittidly a few days later than expected, There is a full and secure fix for this issue.

    The new fix eliminates the use of apache for any commands being sent to back-end of vePortal and integrates the likes of suPHP and a fully reprogrammed core.

    More Secure, More Stable and Fully Audited.
    Is the issue resolved with the XSS vulnerabilities? I'd be highly concerned about remote exploits, especially in customer areas.
    PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
    PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
    Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915

  10. #10
    Hi ServerOrigin,
    The client area has validation & sanitising on all input fields, Like we mentioned before, If somebody got into the admin panel XSS Vulnerabilities are the last of your problems and for that reason we didn't think it would be required. However saying that its no major task to add into the admin panel and it will be done in the next release.
    D.Woodvine

  11. #11
    Join Date
    Jun 2006
    Location
    NYC / Memphis, TN
    Posts
    1,454
    Quote Originally Posted by VW-Donna View Post
    Hi ServerOrigin,
    The client area has validation & sanitising on all input fields, Like we mentioned before, If somebody got into the admin panel XSS Vulnerabilities are the last of your problems and for that reason we didn't think it would be required. However saying that its no major task to add into the admin panel and it will be done in the next release.
    It's great to hear you guys are doing so much work. We're considering both veportal and SolusVM at this time. We're still doing some testing.
    PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
    PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
    Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915

  12. #12
    Quote Originally Posted by ServerOrigin View Post
    It's great to hear you guys are doing so much work. We're considering both veportal and SolusVM at this time. We're still doing some testing.
    Well thats great news We look forward to seeing you arrive.
    D.Woodvine

  13. #13
    Join Date
    Nov 2007
    Posts
    256
    I can agree that VePortal has major security issues. 1 of my nodes got hacked due to VePortal software luckily it didn't do any damage to the VPS info I had running on the machine however it took some time to remove the hack and implement some security measures to get passed it while we moved to solusVM. SolusVM has been the best VZ control panel I have ever used and our customers love it.

    I think the security and bugs need to be worked out of VePortal before making it look nice. Also I have found to upgrade to V2 you have to now pay $14.95 instead of $7 what it used to be and you have to download it and install it again if you are wanting to upgrade.

  14. #14
    Join Date
    Jun 2008
    Posts
    205
    "Threatening with reviews and/or chargebacks would be Intimidation and a violation of our policies."

    Your lame policy is a violation.

    Who do you think you are?

  15. #15
    Join Date
    Oct 2007
    Location
    United States
    Posts
    1,182
    Quote Originally Posted by w4Net View Post
    I can agree that VePortal has major security issues. 1 of my nodes got hacked due to VePortal software luckily it didn't do any damage to the VPS info I had running on the machine however it took some time to remove the hack and implement some security measures to get passed it while we moved to solusVM. SolusVM has been the best VZ control panel I have ever used and our customers love it.

    I think the security and bugs need to be worked out of VePortal before making it look nice. Also I have found to upgrade to V2 you have to now pay $14.95 instead of $7 what it used to be and you have to download it and install it again if you are wanting to upgrade.
    Do you have any proof that it was a VePortal vulnerability and not just a weak server password?
    www.opticip.com - Optic IP LLC

  16. #16
    Quote Originally Posted by VW-Donna View Post
    If somebody got into the admin panel XSS Vulnerabilities are the last of your problems
    With all due respect, you do not understand what XSS is, and how it can be taken advantage of. It is not necessarily something that you use once you've obtained access to a restricted resource. It is something that could possibly be used in order to obtain access to a restricted resource.

  17. #17
    Join Date
    Apr 2000
    Location
    Nevada, US
    Posts
    5,550
    Quote Originally Posted by DMEHosting View Post
    Do you have any proof that it was a VePortal vulnerability and not just a weak server password?
    good question, as we have seen no such issues ourselves. it's easy to blame veportal, but without proof, it's not a good post to be making. and even if not a password issue, veportal may not be the issue---the operating system or openvz could be the issue...
    SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
    http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
    Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors

  18. #18
    Quote Originally Posted by w4Net View Post
    I can agree that VePortal has major security issues. 1 of my nodes got hacked due to VePortal software luckily it didn't do any damage to the VPS info I had running on the machine however it took some time to remove the hack and implement some security measures to get passed it while we moved to solusVM. SolusVM has been the best VZ control panel I have ever used and our customers love it.
    Hi, Can you please submit a support ticket backing this information up? For some reason i find it very hard to believe somebody had a VPS Node hacked without so much as a whisper. I'm not directly calling you a liar but its not something one would expect.

    Quote Originally Posted by w4Net View Post
    I think the security and bugs need to be worked out of VePortal before making it look nice. Also I have found to upgrade to V2 you have to now pay $14.95 instead of $7 what it used to be and you have to download it and install it again if you are wanting to upgrade.
    If you have a License from Pre v2 then you pay your usual price, ($7.50) or ($5 for a lucky few). People made complaints about downtime in licensing servers we had to impliment new measures including moving from our single VPS to several gloablly load balanced servers. Obviously this costs more, So for a higher rate of service a higher fee is charged. You get what you pay for.

    Quote Originally Posted by web-1 View Post
    "Threatening with reviews and/or chargebacks would be Intimidation and a violation of our policies."

    Your lame policy is a violation.

    Who do you think you are?
    Very Mature, However worded the end user accepts those terms.

  19. #19
    Join Date
    Feb 2004
    Location
    USA
    Posts
    1,572
    Whats the status of this? will be trying VePortal soon on a few test servers.

  20. #20
    Quote Originally Posted by jpetersen View Post
    With all due respect, you do not understand what XSS is, and how it can be taken advantage of. It is not necessarily something that you use once you've obtained access to a restricted resource. It is something that could possibly be used in order to obtain access to a restricted resource.
    Such a resource that you would already have full access to if you was already given access to the administration panel right?

    Im quite aware of XSS and its risks, I can see how its a very high priority within the User and Reseller Panels, However for a server admin you need to have been given access in order to run the XSS, And because of this it's a lower priority.

    I Believe this is fixed in the next release of vePortal. Until now nobody has been and confirmed all potential security holes have been fixed, And so judgement shouldn't really be passed until they have done.
    D.Woodvine

  21. #21
    Quote Originally Posted by TheServerExperts View Post
    Whats the status of this? will be trying VePortal soon on a few test servers.
    All issues were resolved, The present installer is completely secured.
    D.Woodvine

  22. #22
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Quote Originally Posted by VW-Donna View Post
    Im quite aware of XSS and its risks, I can see how its a very high priority within the User and Reseller Panels, However for a server admin you need to have been given access in order to run the XSS, And because of this it's a lower priority.
    Sorry Donna, but with every comment you make you're demonstrating that you don't know what XSS is. FYI: XSS attacks take advantage of a genuine, innocent, authenticated user (a server admin in this case) by executing code on their browser to do something that the user would not do willingly. The attacker is typically an unprivileged user or visitor whose only access is the ability to submit something for the admin to read (say, a ticket or a request to open an account).

    If you have / had XSS vulnerabilities in your system, you should be applying the highest priority to any that apply to the server admin because those have the potential to do most damage.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  23. #23
    Join Date
    Jan 2006
    Location
    Sydney, Australia
    Posts
    251
    Quote Originally Posted by VW-Donna View Post
    However for a server admin you need to have been given access in order to run the XSS, And because of this it's a lower priority.
    Look up on something like cross-site request forgery, and how it can be used to attack sites with existing XSS vulnerability...

  24. #24
    Quote Originally Posted by foobic View Post
    Sorry Donna, but with every comment you make you're demonstrating that you don't know what XSS is. FYI: XSS attacks take advantage of a genuine, innocent, authenticated user
    gotta agree here with foobic, this is exactly the point of xss - using the access rights of a valid logged-in user.

    if you think having to be logged in as admin is preventing xss, you have no idea what xss is.

  25. #25
    Quote Originally Posted by sej7278 View Post
    gotta agree here with foobic, this is exactly the point of xss - using the access rights of a valid logged-in user.

    if you think having to be logged in as admin is preventing xss, you have no idea what xss is.
    Well I work from what i know so far. As my sig shows, I'm only marketing, but what i do know is that the next release is with the auditors now, it shouldn't be too much longer before thats released and obviously XSS Checking is paramount on the list of checks there to perform.
    D.Woodvine

Page 1 of 2 12 LastLast

Similar Threads

  1. Windows Security Concerns
    By zak31uk in forum Hosting Security and Technology
    Replies: 2
    Last Post: 09-14-2007, 09:35 PM
  2. Shared Hosting - Security Issues and Concerns
    By dm_fw in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-16-2006, 02:58 AM
  3. AWStats and security concerns
    By ArtieFishill in forum Hosting Security and Technology
    Replies: 5
    Last Post: 07-27-2005, 03:29 PM
  4. HELM : Feedback needed on security concerns
    By nipl in forum Hosting Software and Control Panels
    Replies: 1
    Last Post: 12-27-2003, 02:49 PM
  5. HELM : Feedback needed on security concerns
    By nipl in forum Web Hosting
    Replies: 3
    Last Post: 12-26-2003, 08:36 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •