Author Topic: UXPanel [Windows]  (Read 10442 times)

Grief-Code

  • Average Member
  • ***
  • Posts: 149
  • Karma: +25/-8
    • View Profile
Re: UXPanel [Windows]
« Reply #30 on: July 16, 2015, 01:11:49 am »
@Web-Ghost you need to enable PHP short open tag.

Also I don't recommend using uxpanel, it's a piece of shit.
how to enable it and do you know anything better than uxpanel?

Probably uxpanel is the only open source software.
We (ohsystem) also created a simple panel but that was also a insecure code using shell exec. However there could be a possibility that we may release one soon based on nodejs. But that will take a bit time.

uakf.b

  • Administrator
  • Hero Member
  • *****
  • Posts: 566
  • Karma: +86/-12
    • View Profile
Re: UXPanel [Windows]
« Reply #31 on: July 16, 2015, 06:29:13 pm »
@Web-Ghost you need to enable PHP short open tag.

Also I don't recommend using uxpanel, it's a piece of shit.
how to enable it and do you know anything better than uxpanel?
It'd be in your php.ini. Just do a web search for "enable PHP short open tag".

uakf.b

  • Administrator
  • Hero Member
  • *****
  • Posts: 566
  • Karma: +86/-12
    • View Profile
Re: UXPanel [Windows]
« Reply #32 on: July 17, 2015, 04:42:07 pm »
Probably uxpanel is the only open source software.
We (ohsystem) also created a simple panel but that was also a insecure code using shell exec. However there could be a possibility that we may release one soon based on nodejs. But that will take a bit time.
As far as security goes, I'm more concerned about the database code (no prepared statements) and XSS/CSRF prevention, the exec part in uxpanel I think was okay.

Grief-Code

  • Average Member
  • ***
  • Posts: 149
  • Karma: +25/-8
    • View Profile
Re: UXPanel [Windows]
« Reply #33 on: July 18, 2015, 03:06:47 am »
Probably uxpanel is the only open source software.
We (ohsystem) also created a simple panel but that was also a insecure code using shell exec. However there could be a possibility that we may release one soon based on nodejs. But that will take a bit time.
As far as security goes, I'm more concerned about the database code (no prepared statements) and XSS/CSRF prevention, the exec part in uxpanel I think was okay.

Well XSS is not likeable, someone found an exploit in openstats pagination as well, however shouldnt be a big issue to fix that.

Exec generally should be avoided in PHP applications, there a lot more functions besides that, but to ensure you have a totally safe way, it should be done.
PHP generally gets more weird with each version, just remind 5.3 where they included 'goto', for me its getting more and more the worst programming language.

However, an idea to make the system safe is pretty simple:
- Warp ghost with a tcp client protocol which is able listening on various events:
  - Start / Stop /Restart
  - Game Commands
  - etc.
- Create a nodejs tcp server to listen on a REST API with whitelisted IP's and hashed data & tokens

That avoid shell exec generally for the ghost, when you want to create a new bot and need to copy a folder you could use maybe a nodejs based client for that, it will also execute commands to the shell ofc, but its not PHP.

uakf.b

  • Administrator
  • Hero Member
  • *****
  • Posts: 566
  • Karma: +86/-12
    • View Profile
Re: UXPanel [Windows]
« Reply #34 on: July 18, 2015, 09:20:58 am »
Sure, but I'm not concerned about the exec usage since that was the main focus for checking its security. There's no user input in any of the exec calls, and there's a wrapper around it to take in an array and escape each part. Which is why other parts are far more likely to have security issues. You can make the web application forward requests to another daemon on the system, but in the end something is going to have to manage processes (e.g. if system restarts), unless you're talking about rewriting GHost++ to have multiple instances in one process and/or having the web application manage init scripts (which is just as big of a problem as executing processes).

Edit:
Quote
That avoid shell exec generally for the ghost, when you want to create a new bot and need to copy a folder you could use maybe a nodejs based client for that, it will also execute commands to the shell ofc, but its not PHP.
Um yeah that defeats the point completely... if you think they haven't implemented proper escaping of shell commands by version 5.5 while node.js developers are for whatever reason smarter, then you shouldn't use PHP at all (which TBH isn't a bad idea, but not for this reason).
« Last Edit: July 18, 2015, 09:31:37 am by uakf.b »

Profforg

  • Average Member
  • ***
  • Posts: 187
  • Karma: +23/-27
    • View Profile
Re: UXPanel [Windows]
« Reply #35 on: July 19, 2015, 04:05:28 pm »
Um yeah that defeats the point completely... if you think they haven't implemented proper escaping of shell commands by version 5.5 while node.js developers are for whatever reason smarter, then you shouldn't use PHP at all (which TBH isn't a bad idea, but not for this reason).
Programming language is a tool, not a shortcode. if you want to escape, just write the code for that, what's the problem?
I'm offering most advanced Warcraft 3 bot hosting.

Feel free to contact me:
E-Mail: admin@rusdota.net

uakf.b

  • Administrator
  • Hero Member
  • *****
  • Posts: 566
  • Karma: +86/-12
    • View Profile
Re: UXPanel [Windows]
« Reply #36 on: July 19, 2015, 07:29:54 pm »
Um yeah that defeats the point completely... if you think they haven't implemented proper escaping of shell commands by version 5.5 while node.js developers are for whatever reason smarter, then you shouldn't use PHP at all (which TBH isn't a bad idea, but not for this reason).
Programming language is a tool, not a shortcode. if you want to escape, just write the code for that, what's the problem?
I'm not sure what your point is?

Either way, as I said, there's no user input in any of the commands that get executed.

Profforg

  • Average Member
  • ***
  • Posts: 187
  • Karma: +23/-27
    • View Profile
Re: UXPanel [Windows]
« Reply #37 on: July 20, 2015, 06:52:07 am »
I'm not sure what your point is?

Either way, as I said, there's no user input in any of the commands that get executed.
I don't understand why do you blame php. Sure it's not Go. Go much newer and can make breaking changes. PHP differs, it become better without breaking compability.

PHP will be one of the fastest languages according to benchmarks.

Check this out: https://gist.github.com/dstogov/12323ad13d3240aee8f1

Luajit (nginx + luajit works cool in production) is the most fastest from the currenly available realization, also worth mentioning that Lua cosocket and light threads realization works better than C, so in reality Luajit is the best language in the world for web for now. Go should be cool too, unfortunately it's missed from this benchmark, but someone should repeat that as code already available http://golang.org/test/bench/shootout/mandelbrot.go. Sure it's not ideal benchmark, and someone should repeat it using different language compilers, but it's rather good to represent the real usage example which can be used right now for modern websites.
I'm offering most advanced Warcraft 3 bot hosting.

Feel free to contact me:
E-Mail: admin@rusdota.net

uakf.b

  • Administrator
  • Hero Member
  • *****
  • Posts: 566
  • Karma: +86/-12
    • View Profile
Re: UXPanel [Windows]
« Reply #38 on: July 20, 2015, 10:24:11 am »
I think you misunderstood my post?
Quote
Um yeah that defeats the point completely... if you think they haven't implemented proper escaping of shell commands by version 5.5 while node.js developers are for whatever reason smarter, then you shouldn't use PHP at all (which TBH isn't a bad idea, but not for this reason).
I was responding to Grief-Code, who proposed executing commands from node.js instead of PHP and claimed that would provide more security. I don't see where I blamed PHP, in fact it seems quite the opposite.

I mentioned why uxpanel is not the best earlier, it still uses mysqli without prepared statements and the code dealing with XSS and CSRF hasn't been updated in a while although I've used and updated the same code in other projects. This isn't dependent on PHP.

Either way, I prefer languages that offer static and strong typing, and don't require a web framework to write good applications (e.g. PHP by default ignores most errors like variable not existing, and the == operator is insane).
« Last Edit: July 20, 2015, 10:29:53 am by uakf.b »

Grief-Code

  • Average Member
  • ***
  • Posts: 149
  • Karma: +25/-8
    • View Profile
Re: UXPanel [Windows]
« Reply #39 on: July 20, 2015, 03:32:57 pm »
I blame php.
Its the worst programming language around.

Also when you can across with benchmark tests, it took over 10 years to reach the standard with 5.5 and enhance it again with 7.0
Other languages directly have a good performance without the huge development between. Thats only the point to your benchmarks.

The reason why I hate php is the simply missing concept. There is no clear structure and idea how and what road map is developed. Its feeling like they adding things to the language what they think is cool. They even do not try to hit modern standards. While the applications leading more to oop, they adding 'goto'. As example. It can be true that php is a good for ur usages and the purpose you use it for, but for me its not a language I like to work with. But this is also once again a personal opinion, I won't start a fight or defending on that  :P I just wanted to point out my reasons.
« Last Edit: July 20, 2015, 03:36:15 pm by Grief-Code »