XenoPanel Directory Protector - Disables viewing other servers files.

Discussion in 'System Administration' started by Arisstath, Apr 9, 2017.

Thread Status:
Not open for further replies.
  1. Arisstath

    Arisstath NoLag.host - $0.80/GB - Custom Panel Banned Disabled Account Supreme Premium

    Messages:
    303
    Reactions:
    +180
    Hello, since Liam is not able to fix this easy security issue we had coded a custom permissions fix, we do not need it anymore cause of NoLagCP.

    Source Code:
    Code:
    package host.nolag.security;
    
    import java.io.File;
    import java.io.IOException;
    
    public class Main {
    
        public static void main(String[] args) throws InterruptedException {
            System.out.println("NoLag.host - Read Access Protector");
            int count = 0;
            while (true) {
                count = 0;
                File[] files = new File("/home/XenoPanel/").listFiles();
                for (File file : files) {
                   
                    if (file.isDirectory()) {
    
                        try {
                            Runtime.getRuntime().exec("chmod go-rwx " + file.getPath());
                            count++;
                        } catch (IOException e) {
                            System.err.println("Failed to set permissions for file " + file.getPath());
                            e.printStackTrace();
                        }
                    }
    
                }
                System.out.println("Secured " + count + " users!");
                Thread.sleep(1000 * 60);
            }
           
            // chmod go-rwx [usersHomeFolder]
        }
    }
    
    Compiled JAR: https://nolag.host/static/NoLagSecurity.jar

    XenoPanel
     
    Banned Forever For: Scamming (http://www.mc-market.org/threads/256245/)
    • Winner Winner x 1
    • Informative Informative x 1
    • Useful Useful x 1
  2. Fire

    Fire Always DM me here before dealing via Discord. Supreme Premium

    Minecraft Accounts: Battleships
    Messages:
    3,608
    Reactions:
    +1,767
    Its quite concerning that a bug as serious as allowing users to access others files exists, let alone that the developer didnt patch it.

    I was thinking of switching to Xeno a while back. Kind of glad i stuck with multicraft.
     
    • Agree Agree x 3
  3. Latouth

    Latouth Troubled on Linux? Ask me! Supreme Premium

    Minecraft Accounts: Latouth
    Messages:
    1,574
    Reactions:
    +514
    TIL: There's more panels! I didn't know about XenoPanel lol
     
  4. Fishfish0001

    Fishfish0001 Member

    Messages:
    41
    Reactions:
    +102
    Not to mention the authentication bypass exploit, as well as the one that allowed anyone to view any file on the system, and have root permissions to make edits. Hello /etc/shadow and /etc/passwd.

    But maybe thats what happens when the creator of that panel appears to be more concerned with making other commercial products and bragging about how many servers they own on Discord. If you're going to offer a commercial product like this, most people expect that you'll actually put time into supporting and improving it, not running away when it starts breaking and people get mad. ¯\_(ツ)_/¯
     
    • Winner Winner x 2
    • Like Like x 1
    • Informative Informative x 1
  5. Latouth

    Latouth Troubled on Linux? Ask me! Supreme Premium

    Minecraft Accounts: Latouth
    Messages:
    1,574
    Reactions:
    +514
    ptero ftw
     
  6. Hasan

    Hasan Member Banned Premium

    Minecraft Accounts: JavaSoftware
    Messages:
    1,694
    Reactions:
    +562
    Are you using XenoPanel?
     
    Banned Forever For: Scamming (http://www.mc-market.org/threads/256284/)
  7. 58445

    58445 Member Disabled Account

    Messages:
    55
    Reactions:
    +33
    I'm kinda sad that I bought it a week before they dissapeared... I didnt get a refund at all...

    I want to warn all of you guys, never buy something from that PERSON again
     
    • Agree Agree x 1
  8. Lord Flo

    Lord Flo Member Supreme Premium

    Messages:
    627
    Reactions:
    +328
    Hi Hasan,

    We moved to our custom coded panel! :)

    Best regards,
    Bastian
     
  9. BeBosny

    BeBosny Basically irrelevant now Supreme Premium

    Messages:
    2,506
    Reactions:
    +3,377
    http://www.mc-market.org/threads/133604/page-7#post-1678337

    I'm also confident the XenoPanel MCM account is managed by Liam which means he's ban evading. I've reported him a few months ago without results.
     
  10. 58445

    58445 Member Disabled Account

    Messages:
    55
    Reactions:
    +33

    Yeah well, I lost my money anyway, I'm still gonna try it through paypal but next to that I believe I just got scammed... :(
     
  11. Joshua St.

    Joshua St. Visit our website today for hosting! Premium

    Messages:
    135
    Reactions:
    +68
    it's not even an issue in the latest downloads I'm pretty sure and either way it only allows view - and v2 Doesn't have any of those issues. I hope it works out for everyone though who uses the panel.
     
  12. SafeSurf

    SafeSurf Why not?:) Premium

    Messages:
    266
    Reactions:
    +186
    "only allows view"
    Are you completly mad saying "only" in that sentence and acting up like that's nothing? Just tells a bit how security is ran at Zippy, if that's your view on it.
     
  13. Joshua St.

    Joshua St. Visit our website today for hosting! Premium

    Messages:
    135
    Reactions:
    +68
    In comparison to being able to modify files, yes.. only. However, obviously it's not any good to see the files themselves. That being said, Zippy takes security very seriously. We operate as a company, so my opinion on things don't always mean my company reflects certain things that happen. For instance, we're actually leaving Xenopanel for another based on this issue and a few others we've experienced. Thanks though.
     
  14. SafeSurf

    SafeSurf Why not?:) Premium

    Messages:
    266
    Reactions:
    +186
    Actually, it's called PR.

    If Tim Cook from Apple would hate muslims, it would effect the company aswell.


    You get the point? I dont care whatever you use. Just a very spooky thing to take for granted.
     
  15. Joshua St.

    Joshua St. Visit our website today for hosting! Premium

    Messages:
    135
    Reactions:
    +68
    No one takes it for granted, the creator of XenoPanel said those words himself about the panel. He specifically said he's not worried about it because since the updates it's not even an issue anymore.

    That being said, even if they could view the files I haven't seen any information to support that actually being an issue other than someone saying you can who has a bias standpoint.

    Your comparison to Tim Cook and Muslims is far fetched from what were talking about. I'm not saying I support people looking at others files, I'm saying I have not seen that issue and was told directly from the creator Liam the panel shouldn't have that issue with the updates to it.
     
    Last edited: Sep 18, 2017
  16. Fishfish0001

    Fishfish0001 Member

    Messages:
    41
    Reactions:
    +102
    K78DT.png 2Vsbg.png
     
  17. Joshua St.

    Joshua St. Visit our website today for hosting! Premium

    Messages:
    135
    Reactions:
    +68
  18. Aderm

    Aderm Member Banned Supreme Premium

    Minecraft Accounts: Aderm
    Messages:
    217
    Reactions:
    +81
    What's also funny, there was a basic MySQL exploit in XenoPanel.
    The username and password were sent together in PHP, so you could literally comment out the password field.
    Web development 101, jesus christ. Always escape characters.
     
    Banned Forever For: Excessive Violations of the Rules
  19. Glitch

    Glitch Website Developer Supreme Premium

    Minecraft Accounts: Clockzy
    Messages:
    496
    Reactions:
    +119
    I wouldn't recommend XenoPanel at all. Besides from their product. Their support is shit too. I lost $20 for this crappy software.
     
    • Like Like x 1
    • Agree Agree x 1
Thread Status:
Not open for further replies.