Web PEXAdmin 1.5

Web-interface to view/edit PermissionsEX data

  1. David191212 submitted a new resource:

    PEXAdmin - Web-interface to view/edit permissionsEX data

    Read more about this resource...
     
  2. how i put it in my server
    ?
     
  3. Connect to your server in ssh, uncompress the PEXAdmin_v1.0.zip archive in some folder and set your virtualhost to serve the '/' folder into the public folder.
    let me know if you have further questions :)
     
  4. I strongly recommend against using Secure Hash Algorithm 1 cryptographic hash function to store passwords.
    Reconsider please; https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

    Code (Text):

                if (!empty($_POST['login']) && !empty($_POST['password']))
                {
                    $paramLogin = $_POST['login'];
                    $paramPassword = $_POST['password'];
                    $username = strtolower($paramLogin);
                    $password = sha1($paramPassword);
                    $userList = (new Config())->loadFromJSONFile(APPLICATION_DIR.'/Config/users.json');
                    $checkedUser = $userList->getOption($username, false);
                    if (!empty($checkedUser) && !empty($checkedUser['password']))
                    {
                        if ($password === $checkedUser['password'])
                            $user = $checkedUser;
                        $user['login'] = $username;
                        unset($user['password']);
                    }
                }
    Does the framework actually clean the input? (because I do not see it)
    Or is this open to SQL injection big time?

    I find it dangerous that it appears that there's no input sanitization for a script that's potentially open to the web, with access to PEX as a full blown admin who's pass can easily be obtained through poor sha1 hashing, and allow that person to set perm * on them to get all access to the minecraft server.

    Hopefully I just dont understand this framework and unsanitized input is actually processed by the framework before being processed by php/sql.
     
    #4 mrfloris, Dec 17, 2017
    Last edited: Dec 17, 2017
  5. The user's password are stored in the config file 'users.json' which is not publicly accessible (and are protected by 'Deny from all' directive for the 'no parent folder' flavor)

    All MySQL statements uses prepared queries through PDO, so no injection is possible
     
  6. Glad to hear, still strongly recommending against using sha1. This has never been a safe choice for passwords, and will never be.
     
  7. Got it about the sha1 :)
    I will add a option in the config file to let the user choose between sha1 and bcrypt hash algorithm.
     
    • Winner Winner x 1
  8. David191212 updated PEXAdmin with a new update entry:

    Security update

    Read the rest of this update entry...
     
    • Winner Winner x 1
  9. Ah, you found the xss :)
     
  10. Hi TheWizard54,
    Did you set the database credentials ?

    The DSN and credentials must match the ones provided in PermissionEx's sql backend config

    If you still have problems, please turn on the PEXAdmin debug mode ON by adding the following line in the .htaccess:

    Code (Text):
    SetEnv APPLICATION_ENV development
    Then tell me which error message appears and I'll try my best to help you ;)
     
  11. It seems that PHP cannot find the mysql driver

    try this :)
    Code (Text):
    yum install php-mysql
    then restart the httpd server
     
  12. I looked it up, and for me it's called php-pdo, but I already have that installed.
     
  13. The php-mysql package is also needed to let PHP knows how to talk with mysql :)
     
  14. try with :
    Code (Text):
    dnf install php-mysqlnd
     
  15. It has already been installed.
     
  16. that's weird...
    did you tried to restart apache ?
     
  17. Yep. Multiple times.