danwin / hosting Goto Github PK
View Code? Open in Web Editor NEWThis is a setup for a Tor based shared web hosting server
Home Page: https://danwin1210.de/hosting/
License: GNU General Public License v3.0
This is a setup for a Tor based shared web hosting server
Home Page: https://danwin1210.de/hosting/
License: GNU General Public License v3.0
But it Will be good if you enable and create a home directory for each user. This is because it is currently impossible to install Composer without configuring it to use different dir. It is also the same for other programs that require a home dir for saving the configuration. If /home/USER would be enabled, it probably won't have any security issues.
Also, maybe you can also pre-install Composer because it is used in many projects.
If cron.php and find_old.php are executed by systemd crons and they are executed as root privileges we should ensure in setup.php that only root user can EDIT these two files, otherwise they would be a EoP (Escalation of Privileges) attack vector.
We should chmod/chown them and check that this worked.
This could be for example E-Mail or GPG
Add support to configure rewriting rules from the dashboard. And maybe also to automatically convert .htaccess
to NginX config.
take a look at: https://www.asnible.com you can use it as a provisioner to have a customizable configration.
#11 should be implemented first.
Line 120 in db626a5
Hello, this appears to be a race condition on a single file with well-known name, multiple processes going through this section of code at once might stomp on each other. See mkstemp(3)
for one correct way to make temporary files.
Thanks
As the title.
Strictly sandbox squirelmail, phpmyadmin and adminer with their own php-fpm configurations, preventing leaks from vulnerabilities in those applications.
i did what ever you said in readme.txt , so in the last step i reboot the machine .
now nginx is not running , and when i tried to run it it :
#> service nginx restart ; journalctl -xe
-- The result is failed.
Jun 07 15:09:59 static systemd[1]: nginx.service: Unit entered failed state.
Jun 07 15:09:59 static systemd[1]: nginx.service: Failed with result 'exit-code'.
then i created files by my self :
#> mkdir -p /var/run/nginx/ ; touch /var/run/nginx/susspend
and now i have this error
-- The result is failed.
Jun 07 15:11:07 static systemd[1]: nginx.service: Unit entered failed state.
Jun 07 15:11:07 static systemd[1]: nginx.service: Failed with result 'exit-code'.
what should i do ?
what is wroing with this even ? ( "Jun 07 15:11:07 static php[6042]: No Connection to MySQL database!" ) ???
i'm waiting for your replies :)
Do you create video tutorial?
Here is the modified setup.php correcting the issues with the tables falling to load, due to them being in the wrong order.
Issue: When you run php /var/www/setup.php
it fails to create 3 tables in mysql database with a error.
I have put them in the correct order so as it now creates the database correctly.
Cut & paste this over part in original file or use the attached zip.
//create tables
$db->exec('CREATE TABLE captcha (id int(11) NOT NULL AUTO_INCREMENT PRIMARY KEY, time int(11) NOT NULL, code char(5) COLLATE latin1_bin NOT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE settings (setting varchar(50) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL PRIMARY KEY, value text CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE users (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, username varchar(50) COLLATE latin1_bin NOT NULL UNIQUE, password varchar(255) COLLATE latin1_bin NOT NULL, private_key varchar(1000) COLLATE latin1_bin NOT NULL, dateadded int(10) unsigned NOT NULL, public tinyint(3) unsigned NOT NULL, php tinyint(1) unsigned NOT NULL, autoindex tinyint(1) unsigned NOT NULL, KEY public (public), KEY dateadded (dateadded)) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE del_account (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, CONSTRAINT del_account_ibfk_1 FOREIGN KEY (onion) REFERENCES users (onion) ON DELETE CASCADE ON UPDATE CASCADE) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE new_account (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, password varchar(255) COLLATE latin1_bin NOT NULL, CONSTRAINT new_account_ibfk_1 FOREIGN KEY (onion) REFERENCES users (onion) ON DELETE CASCADE ON UPDATE CASCADE) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$db->exec('CREATE TABLE pass_change (onion char(16) COLLATE latin1_bin NOT NULL PRIMARY KEY, password varchar(255) COLLATE latin1_bin NOT NULL, CONSTRAINT pass_change_ibfk_1 FOREIGN KEY (onion) REFERENCES users (onion) ON DELETE CASCADE ON UPDATE CASCADE) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_bin;');
$stmt=$db->prepare("INSERT INTO settings (setting, value) VALUES ('version', ?);");
$stmt->execute([DBVERSION]);
echo "Database has successfully been set up\n";
}
?>
Suggestion by a user
Adminer: Clear session cookie when the user tried to connect elsewhere.
a. the user tried to use other user's DB. (DB != 'userhavethisonion.onion')
b. server != 'localhost'
c. db.sqlite is exist
d. db.mysql != 'localhost'
e. not logged in to hosting panel (e.g. !isset($_SESSION['loggedin']))
using mail() the name is ignored and always overridden with a fixed address. It should be possible to leave the name and only override the sender address
Snuffleupagus extension can help you hardening your setup and filter dangerous commands even if you don't want to disable them at all: https://github.com/nbs-system/snuffleupagus
#15 should be implemented for this first
CSRF protection missing on sensitive authenticated actions.
Hi, i have installed a fresh debian 10 with the hosting system and will try the mailsystem.
I send a message to myselv but:
Message not sent.
Requested action not taken: mailbox name not allowed
Server replied: 553 5.7.1 vffovj4g24bjyixynr4o6pjggg2mn225@yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion: Sender address rejected: not owned by user vffovj4g24bjyixynr4o6pjggg2mn225@yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion
You can try this here: yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion
phpmyadmin, adminer and squirrelmail are publicly accessible, adding attack vectors. They should only be accessible by users logged in to their hosting account, possibly with one-click login from the dashboard.
Especially rewrite rules should be implemented
A small container (Docker?) for development, testing, and/or deployment of the TOR based shared server
constante contact_me // default contact email from the site
All links will be redirect later to a contact form, the contactform uses this constante.
Let users choose to enable backups
I browsed the source code a little bit, and came up with some hardening ideas (note that I didn't do an exhaustive review... just notes on some things that stood out to me).
In /var/www/cron.php:
useradd
and usermod
. See lines 29 and 242.$system_account
variable (line 24) is used to build a filesystem path in multiple places, it should first be filtered through the basename()
call. This will prevent relative path attacks, which could cause a root compromise if an attacker has control of it.$system_account
should be validated through posix_getpwnam()
before performing any actions on existing accounts.$system_account
can also be checked against a short blacklist of disallowed account names, such as root
, daemon
, bin
, etc. In some cases, it may make sense to resolve to a UID & GID and check that neither is under 1000.I see possibilities where, if an attacker has access to insert unfiltered data into the database, cron.php
can be used to elevate privileges to root.
Considering that you had a full system compromise, I'd spend a lot of time looking at the code executing with root privileges.
I know this is not an issue, but I really do not recommend your to host files on your server on the tor network for others. Do it without revelaing your identity if you really have to and especially do not do it on your raspberry pi and do not allow unlimited storage and no CPU limits. Also your SQL database has no limits except teoretical aswell. Never do that for free either. I am just warning you that you may get into serious trouble if someone uploads illegal material and it probably will happen soon.
P.S.: also using a LARGE amount of onions is not the best idea to do, it may crash your tor client. You should rather use onion subdomains.
The site could look a lot better if we add some CSS or use a CSS framework, might be an option to consider.
Line 228 in db626a5
This SQL isn't using prepared statements with placeholders; unless the input variable is properly sanitized elsewhere in the codebase this may represent an SQL injection opportunity.
Thanks
Bot idea:
How:
Hi there are are lot of issues in the repositorys, hm i try with a new setup and post the install setup here.
To prevent disk usage abuse by a single user, a quota should be enforced, which should be extendable on request
first demo with the new frontent, the main site will also where in the same design
http://yzombq2l4b6mnyw2icm23faq34nv2fjjfpm44v6thg43gsiefc3qfwid.onion
Hi guys!
I am excited about being able to provide the onion service hosting service. I'm having difficulty adding the tutorial repository.
Any suggestion?
sudo apt-key adv --recv 1655A0AB68576280
Executing: /tmp/apt-key-gpghome.cE6SkNwKue/gpg.1.sh --recv 1655A0AB68576280
gpg: Recebimento de informação do keyserver falhou: Erro geral
Translated error message (by google): Receiving information from keyserver failed: General error
Many thanks from brazil.
Something like an Ansible playbook to automate deployment of the TOR based shared hosting server
Hi again, i have installed debian 11 and try to setup the hosting system.
But when i try:
for instance in 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z; do(tor-instance-create $instance) done
then i have a: tor-instance-create: Kommando nicht gefunden.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.