danwin / hosting Goto Github PK

phpmyadmin, adminer and squirrelmail are publicly accessible, adding attack vectors. They should only be accessible by users logged in to their hosting account, possibly with one-click login from the dashboard.

first demo with the new frontent, the main site will also where in the same design
http://yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion

Something like an Ansible playbook to automate deployment of the TOR based shared hosting server

Hi, i have installed a fresh debian 10 with the hosting system and will try the mailsystem.
I send a message to myselv but:

Message not sent.
Requested action not taken: mailbox name not allowed
Server replied: 553 5.7.1 vffovj4g24bjyixynr4o6pjggg2mn225@yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion: Sender address rejected: not owned by user vffovj4g24bjyixynr4o6pjggg2mn225@yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion

You can try this here: yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion

If cron.php and find_old.php are executed by systemd crons and they are executed as root privileges we should ensure in setup.php that only root user can EDIT these two files, otherwise they would be a EoP (Escalation of Privileges) attack vector.

We should chmod/chown them and check that this worked.

i did what ever you said in readme.txt , so in the last step i reboot the machine .
now nginx is not running , and when i tried to run it it :

#> service nginx restart ; journalctl -xe

the output is :
-- Unit nginx.service has begun starting up.
Jun 07 15:09:59 static php[6022]: No Connection to MySQL database!
Jun 07 15:09:59 static php[6023]: No Connection to MySQL database!
Jun 07 15:09:59 static install[6025]: /usr/bin/install: cannot change owner and permissions of ‘/var/run/nginx’: No such file or directory
Jun 07 15:09:59 static systemd[1]: nginx.service: Control process exited, code=exited status=1
Jun 07 15:09:59 static systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- Unit nginx.service has failed.

-- The result is failed.
Jun 07 15:09:59 static systemd[1]: nginx.service: Unit entered failed state.
Jun 07 15:09:59 static systemd[1]: nginx.service: Failed with result 'exit-code'.

then i created files by my self :

#> mkdir -p /var/run/nginx/ ; touch /var/run/nginx/susspend

and now i have this error

-- Unit nginx.service has begun starting up.
Jun 07 15:11:07 static php[6042]: No Connection to MySQL database!
Jun 07 15:11:07 static install[6044]: /usr/bin/install: cannot change owner and permissions of ‘/var/run/nginx’: Read-only file system
Jun 07 15:11:07 static systemd[1]: nginx.service: Control process exited, code=exited status=1
Jun 07 15:11:07 static systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- Unit nginx.service has failed.

-- The result is failed.
Jun 07 15:11:07 static systemd[1]: nginx.service: Unit entered failed state.
Jun 07 15:11:07 static systemd[1]: nginx.service: Failed with result 'exit-code'.

what should i do ?

what is wroing with this even ? ( "Jun 07 15:11:07 static php[6042]: No Connection to MySQL database!" ) ???

i'm waiting for your replies :)

Hi there are are lot of issues in the repositorys, hm i try with a new setup and post the install setup here.

using mail() the name is ignored and always overridden with a fixed address. It should be possible to leave the name and only override the sender address

Suggestion by a user

Adminer: Clear session cookie when the user tried to connect elsewhere.

a. the user tried to use other user's DB. (DB != 'userhavethisonion.onion')
b. server != 'localhost'
c. db.sqlite is exist
d. db.mysql != 'localhost'
e. not logged in to hosting panel (e.g. !isset($_SESSION['loggedin']))

This SQL isn't using prepared statements with placeholders; unless the input variable is properly sanitized elsewhere in the codebase this may represent an SQL injection opportunity.

Thanks

constante contact_me // default contact email from the site
All links will be redirect later to a contact form, the contactform uses this constante.

Add support to configure rewriting rules from the dashboard. And maybe also to automatically convert .htaccess to NginX config.

This could be for example E-Mail or GPG

To prevent disk usage abuse by a single user, a quota should be enforced, which should be extendable on request

Especially rewrite rules should be implemented

The site could look a lot better if we add some CSS or use a CSS framework, might be an option to consider.

#11 should be implemented first.

#15 should be implemented for this first

As the title.

I don't understand why www-data should have extra privileges on .ssh.

Thanks

take a look at: https://www.asnible.com you can use it as a provisioner to have a customizable configration.

Here is the modified setup.php correcting the issues with the tables falling to load, due to them being in the wrong order.

Issue: When you run php /var/www/setup.php

it fails to create 3 tables in mysql database with a error.

I have put them in the correct order so as it now creates the database correctly.

Cut & paste this over part in original file or use the attached zip.
//create tables
$db->exec('CREATE TABLE captcha (id int(11) NOT NULL AUTO_INCREMENT PRIMARY KEY, time int(11) NOT NULL, code char(5) COLLATE latin1_bin NOT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE settings (setting varchar(50) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL PRIMARY KEY, value text CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE users (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, username varchar(50) COLLATE latin1_bin NOT NULL UNIQUE, password varchar(255) COLLATE latin1_bin NOT NULL, private_key varchar(1000) COLLATE latin1_bin NOT NULL, dateadded int(10) unsigned NOT NULL, public tinyint(3) unsigned NOT NULL, php tinyint(1) unsigned NOT NULL, autoindex tinyint(1) unsigned NOT NULL, KEY public (public), KEY dateadded (dateadded)) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE del_account (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, CONSTRAINT del_account_ibfk_1 FOREIGN KEY (onion) REFERENCES users (onion) ON DELETE CASCADE ON UPDATE CASCADE) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE new_account (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, password varchar(255) COLLATE latin1_bin NOT NULL, CONSTRAINT new_account_ibfk_1 FOREIGN KEY (onion) REFERENCES users (onion) ON DELETE CASCADE ON UPDATE CASCADE) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE pass_change (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, password varchar(255) COLLATE latin1_bin NOT NULL, CONSTRAINT pass_change_ibfk_1 FOREIGN KEY (onion) REFERENCES users (onion) ON DELETE CASCADE ON UPDATE CASCADE) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$stmt=$db->prepare("INSERT INTO settings (setting, value) VALUES ('version', ?);");
$stmt->execute([DBVERSION]);
echo "Database has successfully been set up\n";
}
?>

setup.php.zip

Strictly sandbox squirelmail, phpmyadmin and adminer with their own php-fpm configurations, preventing leaks from vulnerabilities in those applications.

Hi guys!
I am excited about being able to provide the onion service hosting service. I'm having difficulty adding the tutorial repository.

Any suggestion?

sudo apt-key adv --recv 1655A0AB68576280

Executing: /tmp/apt-key-gpghome.cE6SkNwKue/gpg.1.sh --recv 1655A0AB68576280
gpg: Recebimento de informação do keyserver falhou: Erro geral

Translated error message (by google): Receiving information from keyserver failed: General error

Many thanks from brazil.

Hi again, i have installed debian 11 and try to setup the hosting system.
But when i try:

for instance in 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z; do(tor-instance-create $instance) done

then i have a: tor-instance-create: Kommando nicht gefunden.

Hello, this appears to be a race condition on a single file with well-known name, multiple processes going through this section of code at once might stomp on each other. See mkstemp(3) for one correct way to make temporary files.

Thanks

Let users choose to enable backups

I know this is not an issue, but I really do not recommend your to host files on your server on the tor network for others. Do it without revelaing your identity if you really have to and especially do not do it on your raspberry pi and do not allow unlimited storage and no CPU limits. Also your SQL database has no limits except teoretical aswell. Never do that for free either. I am just warning you that you may get into serious trouble if someone uploads illegal material and it probably will happen soon.

P.S.: also using a LARGE amount of onions is not the best idea to do, it may crash your tor client. You should rather use onion subdomains.

Snuffleupagus extension can help you hardening your setup and filter dangerous commands even if you don't want to disable them at all: https://github.com/nbs-system/snuffleupagus

CSRF protection missing on sensitive authenticated actions.

But it Will be good if you enable and create a home directory for each user. This is because it is currently impossible to install Composer without configuring it to use different dir. It is also the same for other programs that require a home dir for saving the configuration. If /home/USER would be enabled, it probably won't have any security issues.

Also, maybe you can also pre-install Composer because it is used in many projects.

A small container (Docker?) for development, testing, and/or deployment of the TOR based shared server

I browsed the source code a little bit, and came up with some hardening ideas (note that I didn't do an exhaustive review... just notes on some things that stood out to me).
In /var/www/cron.php:

• The password hash is leaked in the process listing to anyone doing a "ps" at the right moment, since the "-p" option is used with useradd and usermod. See lines 29 and 242.
• Because the $system_account variable (line 24) is used to build a filesystem path in multiple places, it should first be filtered through the basename() call. This will prevent relative path attacks, which could cause a root compromise if an attacker has control of it.
• $system_account should be validated through posix_getpwnam() before performing any actions on existing accounts.
• Perhaps $system_account can also be checked against a short blacklist of disallowed account names, such as root, daemon, bin, etc. In some cases, it may make sense to resolve to a UID & GID and check that neither is under 1000.

I see possibilities where, if an attacker has access to insert unfiltered data into the database, cron.php can be used to elevate privileges to root.

Considering that you had a full system compromise, I'd spend a lot of time looking at the code executing with root privileges.

Bot idea:

• Run once a day
• Scan only 3 files to detect

How:

1. scan /(account holder)/www/index.php and /www/index.htm, /www/index.html
2. Scan for word:
   ===
   for sale
   purchase via
   order form
   by bitcoin
   dollar
   ===
3. If these words are found in files, send email() to your account with account details, so you can take a look later.

Do you create video tutorial?