search

zpanel / zpanelx

ZPanel is a web hosting control panel written in PHP for Windows and *NIX host OS's.
http://www.zpanelcp.com
Other
415 stars 297 forks source link

If you disable apps in modules ADMIN doesn't prevent direct access #200

Open ghost opened 10 years ago

ghost commented 10 years ago

Hi,

Try to disable phpinfo module or any from the apps that ship with zpanel. Despite they now require user being logges they will remain only.

You can restrict phpsysinfo only to admin BUT any user will access it.

Even if you totally remove it from users access it's still there. Same over phpinfo, webmail, phpmyadmin.

  1. Permission levels need to be checked against user group.
  2. IF disabled from any group it should be enforced too.

M B

jacobgelling commented 10 years ago

This was in the old bug tracker but was decided not to be fixed as it would require lots of modifications to programs ZPanel does not maintain and the clients on the server could install Php info and Php sys info in their hosting space anyway. Webmail and PhpMyAdmin was purposely desinged so anyone could access it without logging into ZPanel for ease of use.

ghost commented 10 years ago

Hi,

Jacob, never got access to old bug tracker :-( any way. For phpinfo ok. BUT phpsysinfo have wide permission and you will never get it working if you install it on jailed hosting as it will require /proc/ access at least to gather server informations. So there is a little issue over infos leak here.

In my setup both modules are DISABLED and deleted. And if we are unable to setup security correctly for a module it should be disabled or removed for core.

This is what I expect from a security reboot and rethinking in zpanel.

silviuchingaru commented 10 years ago

The simplest way to solve this, as far as I see it, is to load every lib in zPanel, like phpMyAdmin or phpsysinfo through a loader script like this: Send request to loader for phpMyAdmin for example -> loader checks the current user access and if granted -> require index.php of lib. 'Allow anonymous access' should be included as permission for libs that admins want to offer public access like webmail. Modules libs should never be directly accessible via httpd server like now are.

ghost commented 10 years ago

For apps We have 4 apps, and the problem is not phpmyadmin or roundcube that don't have data leak here. But phpinfo that can be totally merged in the module, why app?

Phpsysinfo could be relaced with a module that show cpu/ram infos, why all the whistle and fancy realtime monitoring? Do we really need them?

What zpanel really need with the correct tight security setup. This is my point