Page 17 of 19
Re: [Tool] AdminServ 2.1.0
Posted: 13 Jun 2014, 18:10
by toffe
Update:
Mini patch. Add on top of the index.php, just after <?php:
Code: Select all
foreach ($_GET as $key => $value) { if(stristr($value, "../")) $_GET[$key] = str_replace("../", "", $value); }
foreach ($_POST as $key => $value) { if(stristr($value, "../")) $_POST[$key] = str_replace("../", "", $value); }
This will patch the most problems for using the file disclosure, I'm not sure if it helps for all attacks but will keep the easy one's away!
Re: [Tool] AdminServ 2.1.0
Posted: 28 Sep 2014, 18:46
by lucsw
Hi all, I've installed AdminServ, but I'e a problem, little but not very esthetic :
http://eagle-shootmania.livehost.fr/adm ... inServ.png
Look at on the top:
Code: Select all
Warning: file_exists() [function.file-exists]: open_basedir restriction in effect
And I don't know how to resolv it :/
Re: [Tool] AdminServ 2.1.0
Posted: 30 Sep 2014, 17:23
by lucsw
Nobody ?
Re: [Tool] AdminServ 2.1.0
Posted: 30 Sep 2014, 17:57
by weerwolf
Ur webserver is not allowed there because its out of its allowed path's (open_basedir restriction). Either the files need to be in the webservers scope (but outside the www scope), or u must use open_basedir, which is not recommended for safety issues
Re: [Tool] AdminServ 2.1.0
Posted: 30 Sep 2014, 18:10
by lucsw
I don't have understand all :/
So how to resolv this problem ?
Re: [Tool] AdminServ 2.1.0
Posted: 01 Oct 2014, 19:21
by weerwolf
eg document root (base dir):
/var/www/vhost/yourdomain.com/
is where your webserver may access
/var/www/vhosts/yourdomain.com/httpdocs
is reachable from the web (so never put serverfiles there)
so is u have placed your mp server in eg. /home/games/maniaplanet
adminserv (webserver) may not access that area
Re: [Tool] AdminServ 2.1.0
Posted: 15 Oct 2014, 13:12
by Chris92
Hi,
would anyone be interested in a slightly updated version?
I modified AdminServ to have an extra field in the server config called "DisplayServ Password"
Basically, what the DisplayServ portion on the main page does right now is trying to connect to the server via the "User" level and the default pass "User".
If you're as paranoid as me, you usually generate 3 random passwords, one for each access level, and that for each server. You'd only ever have one working server on the frontpage server overview - this fixes it!
I have also included Toffe's fix.
So if anyone's interested, and if Kev717 has nothing against it, I'd publish this on my GitHub as version 2.1.1.
Kind regards,
Chris92
EDIT: Forgot one thing, DisplayServ now also shows the Script that's running on the server, in case the Server is running in Script mode.
EDIT2:
Screenshot of the new stuff in action
Re: [Tool] AdminServ 2.1.0
Posted: 15 Oct 2014, 17:17
by hackie
Could you add a download link.
I'm certainly interested.
AdminServ v2.1.1
Posted: 15 Oct 2014, 18:23
by Chris92
AdminServ v2.1.1
Download here
Changelog:
+ Added DisplayServ password as configuration field. This allows the DisplayServ part on the frontpage to work with custom passwords.
+ Added Toffe's security fix to a possible exploit which could allow anyone with access to download any file of the host machine.
+ A few other enhancements.
- Removed QuestMania support...
Re: [Tool] AdminServ 2.1.0
Posted: 17 Oct 2014, 11:29
by toffe
Thanks for sharing chris!
It's such a user friendly tool. Maybe a good idea to open up a github or something for it? (or maybe there is already?)
Toffe
