If you disable apps in modules ADMIN doesn't prevent direct access #200
Comments
|
This was in the old bug tracker but was decided not to be fixed as it would require lots of modifications to programs ZPanel does not maintain and the clients on the server could install Php info and Php sys info in their hosting space anyway. Webmail and PhpMyAdmin was purposely desinged so anyone could access it without logging into ZPanel for ease of use. |
|
Hi, Jacob, never got access to old bug tracker :-( any way. For phpinfo ok. BUT phpsysinfo have wide permission and you will never get it working if you install it on jailed hosting as it will require /proc/ access at least to gather server informations. So there is a little issue over infos leak here. In my setup both modules are DISABLED and deleted. And if we are unable to setup security correctly for a module it should be disabled or removed for core. This is what I expect from a security reboot and rethinking in zpanel. |
|
The simplest way to solve this, as far as I see it, is to load every lib in zPanel, like phpMyAdmin or phpsysinfo through a loader script like this: |
|
For apps We have 4 apps, and the problem is not phpmyadmin or roundcube that don't have data leak here. But phpinfo that can be totally merged in the module, why app? Phpsysinfo could be relaced with a module that show cpu/ram infos, why all the whistle and fancy realtime monitoring? Do we really need them? What zpanel really need with the correct tight security setup. This is my point |
Hi,
Try to disable phpinfo module or any from the apps that ship with zpanel. Despite they now require user being logges they will remain only.
You can restrict phpsysinfo only to admin BUT any user will access it.
Even if you totally remove it from users access it's still there. Same over phpinfo, webmail, phpmyadmin.
M B
The text was updated successfully, but these errors were encountered: