[Tool] AdminServ 2.1.0

[toffe]

Update:
Mini patch. Add on top of the index.php, just after <?php:

Code: Select all

foreach ($_GET as $key => $value) { if(stristr($value, "../")) $_GET[$key] = str_replace("../", "", $value); }
foreach ($_POST as $key => $value) { if(stristr($value, "../")) $_POST[$key] = str_replace("../", "", $value); }

This will patch the most problems for using the file disclosure, I'm not sure if it helps for all attacks but will keep the easy one's away!

[lucsw]

Hi all, I've installed AdminServ, but I'e a problem, little but not very esthetic :
http://eagle-shootmania.livehost.fr/adm ... inServ.png
Look at on the top:

Code: Select all

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect

And I don't know how to resolv it :/

[lucsw]

Nobody ?

[weerwolf]

Ur webserver is not allowed there because its out of its allowed path's (open_basedir restriction). Either the files need to be in the webservers scope (but outside the www scope), or u must use open_basedir, which is not recommended for safety issues

[lucsw]

I don't have understand all :/
So how to resolv this problem ?

[weerwolf]

eg document root (base dir):

/var/www/vhost/yourdomain.com/
is where your webserver may access

/var/www/vhosts/yourdomain.com/httpdocs
is reachable from the web (so never put serverfiles there)

so is u have placed your mp server in eg. /home/games/maniaplanet
adminserv (webserver) may not access that area

[Chris92]

Hi,

would anyone be interested in a slightly updated version?
I modified AdminServ to have an extra field in the server config called "DisplayServ Password"
Basically, what the DisplayServ portion on the main page does right now is trying to connect to the server via the "User" level and the default pass "User".

If you're as paranoid as me, you usually generate 3 random passwords, one for each access level, and that for each server. You'd only ever have one working server on the frontpage server overview - this fixes it!
I have also included Toffe's fix.
So if anyone's interested, and if Kev717 has nothing against it, I'd publish this on my GitHub as version 2.1.1.

Kind regards,
Chris92

EDIT: Forgot one thing, DisplayServ now also shows the Script that's running on the server, in case the Server is running in Script mode.

EDIT2: Screenshot of the new stuff in action

[hackie]

Could you add a download link.

I'm certainly interested.

[Chris92]

AdminServ v2.1.1

Download here

Changelog:
+ Added DisplayServ password as configuration field. This allows the DisplayServ part on the frontpage to work with custom passwords.
+ Added Toffe's security fix to a possible exploit which could allow anyone with access to download any file of the host machine.
+ A few other enhancements.
- Removed QuestMania support...

[toffe]

Thanks for sharing chris!
It's such a user friendly tool. Maybe a good idea to open up a github or something for it? (or maybe there is already?)


Toffe