amuck-landowner

Feathur Launch (VPS Control Panel => 0.6.0.1 => Free For Private Use)

Francisco

Company Lube
Verified Provider
Not tryi...well yes I am trying to be a dick.
Going deep for sure >_>

Honestly, for what it's worth, Solus does the exact same shit *all* over their code. Anyone who has had a chance should get a decompiled copy of the *create* pages in Solus. It's the EXACT same thing. They have 8+ depth if statements to push errors/template data to the end user.

Francisco
 

bfj

New Member
Honestly, for what it's worth, Solus does the exact same shit *all* over their code. Anyone who has had a chance should get a decompiled copy of the *create* pages in Solus. It's the EXACT same thing. They have 8+ depth if statements to push errors/template data to the end user.
Right, so why do we providers want another SolusVM security cluster fuck? This just goes to prove my point(s) even further. 
 
Last edited by a moderator:

perennate

New Member
Verified Provider
Right, so why do we providers want another SolusVM security cluster fuck? This just goes to prove my point(s) even further. 
Well, at least the source isn't encoded, so if there's a feature you want to add or a security issue you want to fix you could code it without relying on "Feathur LLC" (although modifying it may very well violate the license, because of the way it is written).

Fake edit: they're taking suggested changes to their license so if there's any lawyers on here you could check their license and let us/them know.
 
Last edited by a moderator:

acd

New Member
Out of curiosity, how does the license change if paying 3.5 USD per server per month?  What exactly is being sold if said software is offerred ....

9. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
edit: Changes to unlicensed feathur don't appear to be explicitly prohibited, so long as the license checking system is not modified--though if the license system does checksumming or similar, you may be SOL. If anyone gave you crap about fixing bugs or making changes in a licensed copy not for redistribution, that would be sad, but possible.
 
Last edited by a moderator:

perennate

New Member
Verified Provider
Out of curiosity, how does the license change if paying 3.5 USD per server per month?  What exactly is being sold if said software is offerred ....

edit: Changes to unlicensed feathur don't appear to be explicitly prohibited, so long as the license checking system is not modified--though if the license system does checksumming or similar, you may be SOL. If anyone gave you crap about fixing bugs or making changes in a licensed copy not for redistribution, that would be sad, but possible.
There is no license checking system built-in to the software. There is an external one on their website.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
bfj states: "@BlueVM, Just one suggestion ... hire a real coder, because anyone with a year of PHP knows NOT to use globals inside of classes. And any 2nd year coder knows NOT to use 50 nested if's. And any 3rd year coder knows TO follow some form of coding guidelines for consistency. And any Database coder knows NOT to alter tables dynamically in code."
So, I don't pretend to know a thing about PHP :)

About this global inside of a class...  How else would one call a database connection inside such a class?

School me please.  Lots of folks will benefit from knowledge / example.
 

drmike

100% Tier-1 Gogent
Has anyone look specifically for security concerns?  Fran?

@BlueVM, can you comment on the vld "audit" and what was covered and if you are a customer of his company?  I don't want to seem too gung ho just because of name association.
 

Francisco

Company Lube
Verified Provider
Well, if you use a proper MVC then the database would be a library/class that would be extended into the core controller and then can be called at any point.

A lot of the exploits in WHMCS are because they use global variables and force register_globals on. What register_globals does is you could set a variable in the URL and it'd set a variable of the same name in your code, allowing you to inject things like a beast.

Justin wasn't kidding when he said there was 30k+ lines of code. I've not had a chance to audit very much of it but it would have been nice if he had used a more advanced MVC.

Most of the bigger MVC's have validation classes and things like that to make it so the 19 depth if statements don't happen. You feed it a few function calls and it's game.

I think the biggest issue I've seen so far is that they do raw SQL queries in the code. Now, they're using PDO's bindings which means SQL injects are pretty much not going to happen, but because they aren't pushing things into a Model, a column name change means they have to update every file that calls said column, instead of just that single file and a couple templates.

Francisco
 

perennate

New Member
Verified Provider
Justin wasn't kidding when he said there was 30k+ lines of code. I've not had a chance to audit very much of it but it would have been nice if he had used a more advanced MVC.
Feathur has ~4000 lines of actual back-end code. The rest are libraries and templates and such.

Also pretty sure that there's a theoretical vulnerability in the forgot password implementation -- it uses random_string, which utilizes mt_rand, which does not generate cryptographically secure random numbers. Then, an attacker probably would be able to find the state after generating enough forgot password strings (each one is 120 characters, I think you need about 2000 consecutive iterations to guess the state, so you'd have to forget your password 17 or so times). Then after finding the state attacker could just enter a victim's email address. Of course it'd be very hard to pull it off, but still should use cryptographically secure random numbers.

But overall it looks pretty well coded. Sure, there's some areas that need improvement (like nested if statements), but it's not a giant mess.
 
Last edited by a moderator:

perennate

New Member
Verified Provider
Also exec statements could be done better; if you can't find a library that handles argument escaping, then implement something that does the escaping automatically from arguments instead of using escapeshellarg every time. Probably you could just pass in an array of separate arguments (including target to execute) and then have each element escapeshellarg'd.
 
Last edited by a moderator:

ultimatehostings

New Member
Verified Provider
Congrats, so should the paid license cover any number of slaves? I was impressed with the combo feature, simply out of the box thinking. 
 
Last edited by a moderator:

perennate

New Member
Verified Provider
Congrats, so should the paid license cover any number of slaves? I was impressed with the combo feature, simply out of the box thinking. 
It's only $3.50/mo per node if I understand correctly. I believe the master node is free and each slave is counted.
 
Last edited by a moderator:

BlueVM

New Member
Verified Provider
Feathur has ~4000 lines of actual back-end code. The rest are libraries and templates and such.

Also pretty sure that there's a theoretical vulnerability in the forgot password implementation -- it uses random_string, which utilizes mt_rand, which does not generate cryptographically secure random numbers. Then, an attacker probably would be able to find the state after generating enough forgot password strings (each one is 120 characters, I think you need about 2000 consecutive iterations to guess the state, so you'd have to forget your password 17 or so times). Then after finding the state attacker could just enter a victim's email address. Of course it'd be very hard to pull it off, but still should use cryptographically secure random numbers.

But overall it looks pretty well coded. Sure, there's some areas that need improvement (like nested if statements), but it's not a giant mess.
I'll look into this. Rather correct the issue in advance than run into it down the road.

Also exec statements could be done better; if you can't find a library that handles argument escaping, then implement something that does the escaping automatically from arguments instead of using escapeshellarg every time. Probably you could just pass in an array of separate arguments (including target to execute) and then have each element escapeshellarg'd.
They probably could be done better. As a matter of fact you have a point. I'll consider coming up with a better method and perhaps do something similar to the template engine and escape all the variables passed to it.

It's only $3.50/mo per node if I understand correctly. I believe the master node is free and each slave is counted.
That is correct. If you intend on using it for personal use it's free under the assumption you'll have 5 slaves or less.

Has anyone look specifically for security concerns?  Fran?

@BlueVM, can you comment on the vld "audit" and what was covered and if you are a customer of his company?  I don't want to seem too gung ho just because of name association.
Vlad did a full line by line code audit (and he audits our github as we make patches).
 

telephone

New Member
Looked over the code for about 5 min and found a nice little exploit. While it doesn't compromise the system, it does cost the admin $$$, and could cause annoyed users.

--------------------------------------------------

A "forgot password" function without limitations... What's the worst that could happen  :lol:

1) System confirms whether email address is associated with an account

      - In short, I can find who's a user (Important in the next step)

2) No rate limiting

      - I can check email dumps to see who's a user

         - I could also check dumps for an old/current password, e.g. WHMCS dumps.

3) Connected directly to SendGrid API, without a 'cool down' period

4) No database check

      - Mwahaha!!! x 100!

5) You have CSRF fields, but do not use them...

6) Putting all of the above together, I can email bomb your users with unlimited "forgot password" emails

I went easy and only sent you 500 or so emails  B). But I could have run you up hundreds of dollars on SendGrid... Others might not be as nice.

Without further ado, it's time for me to be an ass and reveal a means to exploit :


Paste in CLI:

for ((n=0;n<500;n++)); do curl -d "[email protected]" "https://feathur.bluevm.com/forgot.php?action=forgot" > /dev/null 2>&1 ; done
 
:popcorn: :popcorn:  :popcorn:

--------------------------------------------------

How to fix:

1) Disable your "forgot password" function before you or your users get email bombed!

2) Displaying whether email exists is trivial. Majority of developers still don't consider it an exploit (as it just shows said email account is a user), but when it's for a mission critical app such as a control panel, I feel that information shouldn't be displayed... Especially for admin accounts.

3) Create a new column in the users DB that marks whether "forgot password" is active. Rate limit this feature to once per 24 hours, per account.

4) Limit "forgot password" attempts to X attempts per IP, and further limit it to one successful "forgot password" attempt per IP.
 
Last edited by a moderator:

BlueVM

New Member
Verified Provider
@telephone - Pushed an update which prevents large numbers of requests. It currently limits forgot password and login requests to three per ten minutes.

Thanks for the feedback :)
 
Last edited by a moderator:

Kruno

New Member
Verified Provider
Congratulations on pushing this to the public. Honestly, I thought this would be yet another failed project as the other 10s there were announced at one point. 

Was this your first serious PHP project?
 
Last edited by a moderator:

BlueVM

New Member
Verified Provider
@Kruno - No I've developed a few other large projects (mostly behind closed doors).
 

HalfEatenPie

The Irrational One
Retired Staff
Congratulations on pushing this to the public. Honestly, I thought this would be yet another failed project as the other 10s there were announced at one point. 

Was this your first serious PHP project?
And now here comes the back-handed dickish compliments.  Way to go! 
 

Flapadar

Member
Verified Provider
I've only given this a brief look over but it looks like you can change your own username to one that's already in use, Since the forgot password functionality uses email address rather than username that can't be exploited to gain admin access (unless you got lazy and just used the username in a query rather than the userid) - but it might cause problems with the login and could potentially be used to e.g. lock someone out of their account 
 
Top
amuck-landowner