SSH Default dir, PMA, Panel SSL, Panel Default PW

[pyro-code01]

I few more "issues" to report.

1. When you login with ssh clients such as Putty or WinSCP to some user the default login dir is the one saved and when you login again the same dir persists so you have to change folders or cd each time.

Suggestion is that each user ssh have its own default /web/public dir, i know SP, runcloud and cyberpanel do it like that so when logged in you auto get changed to web folder.

Also if another user can guess another users home web dir it can read files, such as configs etc.. (Possible security issue?) Possible to implement "open_basedir Protection"?

2. When trying to access phpmyadmin on new server i get error:

File /var/www/html/pma/vendor/autoload.php missing or not readable. Most likely you did not run Composer to install library files.

Suggestion is to remove PMA entirely, since the panel is mostly developer oriented like SP, most people know how to wget PMA themselfs?

3. Add default non signed ssl to panel IP upon installation:

When panel is first time installed it does not have SSL enabled, better to have self signed SSL even be it invalid it still protects against MITM attacks upon first login, cyberpanel does it like this. (Some people like me use panel on IP not on domain)

4. Auto generate default admin login password upon installation:

I know this is not very likely but it is possible race condition vunerability to have default credentials, some people leave installs overnights or for longer duration, someone could exploit this in the meantime.

5. Add option to debrand login page completely

This is just suggestion, it would be useful to make login page generic and not advertise cipi on it (if it doesnt damage you), if any authentication exploits are found in the future it would be much harder for bots to auto scan cipi panels (This happened to VestaCP), since cipi is not bound to port like other panels scanning would be much harder.

If anything of this makes sense to you i would like you to consider it, its good panel and i will continue to test it in production in the mean time, looking forward to v3 :)

@andreapollastri

[andreapollastri]

Thank You for this report...

• About point number 1, I'm working on it for v3.
• About point number 2, Phpmyadmin will be removed in v3.
• About point number 3, I can't force a default SSL because for law reasons I can't supply a my own subdomain in installation... domains has to be owned from each "client"... in Docs there is a procedure to create it with a custom domain / subdomain
• About point number 4, I'm working on it for v3.
• About point number 5, I'm working on it for v3.

[pyro-code01]

@andreapollastri

About point number 3, you dont need to supply you own domain or forced SSL cert (your own), there is an option to auto generate self signed certificate during "install time" that generated self certificate will be crypto generated and you wont have any connection with it, how ever since it will be self signed it will be invalid, so you need to accept that cert to use panel (eg. chrome will give warning), but it still protects againts MITM as its 443 SSL port.

Bare in mind that this is better to use than no SSL when accessing the panel via the IP address directly.

[andreapollastri]

Hi... in version 3 many things changed...

Point 1 -> shoud be fixed Point 2 -> phpmyadmin is not supported yet in Cipi v3 Point 3 -> in settings area you can generate a free Let's Encrypt cert Point 4 -> nope... you can change it after first login into settings area Point 5 -> now you can do it into .env file... the customizable parameters are: //Branding 'name' => env('CIPI_NAME', 'Cipi Control Panel'), 'website' => env('CIPI_WEBSITE', 'https://cipi.sh'), 'background' => env('CIPI_BACKGROUNG', 'clouds'),

About customization, you can also use only CIPI API to build your custom panel/app :)