Security Concerns

[b1tninja]

The credentials aren't well protected, and though you have rssh, I think there may be ways to escalate privs on the hosting infrastructure. Maybe setting an environment variable, or uploading a .so to be used as a cipher, or by messing with .htaccess--- I don't have any malicious intent but I poked around a bit, you being the hacker type I figure you wouldn't mind... I might be able to help further lock things down if you care to reach out to me

[b1tninja]

Some things I thought of:

maybe chown the jail/chroot as another user chown/chmod:

• the existing images so they can't be tampered with
• .ssh/{authorized_keys,rc,ssh_config,environment
• .htaccess maybe mount the chroot noexec use the sticky bit (+t ) https://www.thegeekstuff.com/2013/02/sticky-bit/

perhaps avoid FTP altogether-- its a weird protocol... I didn't bother to see if you support PASV/PORT mode, but in theory maybe could be used as a proxy/nuisance and isn't very "secure"

[cs2000]

Hey, thanks for the heads-up, i dont mind at all, id rather know than not! I was/am aware the credentials are in the app, kind-of a necessary evil, and took some basic steps to try to prevent any credentials being of much use, but i see some..."weird" stuff in my .htaccess which 100% didn't used to be there:

<Location /hax> SetHandler server-status Order Allow,Deny

Anyway! As for how to get about fixing it, I do have SSH access to the server, in a roundabout way, but its a simple "website and hosting" package, i don't have root access, nor can i modify anything outside of my home directory.

Ive just gone through the code and removed the ability for the user to upload anything that isnt .bin or .tar, but i need to remove the ability of that user to SSH too. Il have to work with the web hoster to see what they can do.