Zpanel security risk (maybe) can execute daemon.php via Web Browser

Zpanel security risk (maybe) can execute daemon.php via Web Browser

just this from http://forums.zpanelcp.com/thread-9884.html i am sharing it here.

xekhz said:

daemon.php - /etc/zpanel/panel/bin/ I can execute daemon.php located in /etc/zpanel/panel/bin/daemon.php via webBrowser.

http://IPADDRESS/bin/daemon.ph

it disclosures a bunch of information. Shouldnt exist an .htaccess not permiting file access in /etc/zpanel/panel/bin/ directory

thanks

ballen said:

RE: daemon.php - /etc/zpanel/panel/bin/ Yes, absolutely... no quite sure how this got though but I'll get this added to the .htaccess file!

Just for others reading this thread, the information that this discloses is the output of what you see when you run the daemon manually (duh lol) so although it does disclose local server paths to hosting directories, hosted domain names and log file locations this doesn't disclose 'personal information' as such so although this will be fixed ASAP I do not deem this as a 'security risk' as such.

Cheers, Bobby

TumTum said:

RE: daemon.php - /etc/zpanel/panel/bin/ For people:

Add: RewriteRule ^bin/daemon.php$ [L] in /etc/zpanel/panel/.htaccess

With this rule, the daemon is blocked in your webbrowser. So SSH: php -q /etc/zpanel/panel/bin/daemon.php

This works too for full bin directory + file: RewriteRule ^(bin/) - [F,L,NC]

Or send the abuser to a funny website: Redirect 301 /bin/daemon.php http://frankly.pitas.com/

But you will fix issues like this in the next release? Because for other users it is maybe a security risk.

ballen said:

Absolutely, this will be blocked in the next release (goes without saying Smile)

Cheers, Bobby Bobby Allen ZPanel Head Developer & Project Leader

---- this is the fix i used --------

MathDerVakker said:

My solution: If you want to block all direct access to daemon but still want the daemon to work in Zpanel itself. Just put this .htaccess file in the 'bin' directory (on Centos: /etc/zpanel/panel/bin)

AuthType Basic <LIMIT GET> order deny,allow deny from all allow from localhost allow from 127.0.0.1 </LIMIT>