security issue: Python app creshed and project base code are been show to the public

Operating System & Version
cloudlinux
cPanel & WHM Version
104.0.10

MrAli

Registered
Sep 2, 2022
3
0
1
SA
cPanel Access Level
Website Owner
Hi

i got a Python app that is running on an add-on domain, But some how the python app was killed and my project files are been exposed to the public,
including the credentials of project database.


a quick fix, i added an index.html to the project folder, to prevent the server from showing my project files.

1. Q. is there an another way to prevent the server from showing the project files if the python app been stopped by the user or by some error?

2. can you add a warring to https://docs.cpanel.net/knowledge-base/web-services/how-to-install-a-python-wsgi-application/ so the user can
be aware of risk of exposure of his project folder to the world.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,638
1,847
363
cPanel Access Level
Root Administrator
Hey there! As mentioned on that page, our support for they Python tools is *extremely* limited, as we don't offer any technical support for those tools. My only recommendation would be to setup the test application as outlined on the page and see if you can reproduce the odd behavior with the code being shown to the public. If that's the case with that, and you can provide me with reproduction steps on how you achieved that, I can get a warning added. But in general, we're pretty hands-off with those tools.
 
  • Like
Reactions: MrAli

MrAli

Registered
Sep 2, 2022
3
0
1
SA
cPanel Access Level
Website Owner
1. create python app ( python 3.9.12 because python 3.10 not supported yet by cloudlinux and litespeed )
Application root = django_test
Application URL = django_test.domain.ltd
Application startup file = passenger_wsgi.py
Application Entry point = application


2. in terminal:
$ source /home/user/virtualenv/django_test/3.9/bin/activate && cd /home/user/django_test
$ pip install django
$ django-admin startproject myapp ~/django_test

3. edit django_test/passenger_wsgi.py delete all and keep this line:
from myapp.wsgi import application

4. Edit the myapp/settings.py file. search for allowed_hosts and change it to:
ALLOWED_HOSTS = ['*']

5. point the subdomain or the add-on domain to the same "/django_test" # my error!

6. restart the app.


now if you stop the python app then the subdomain well take control and show the code to the world.

of course pointing the "Application root" and subdomain "Document Root" to the same folder in our case (/django_test ) is 100% user error.


p.s: if you like i can P.M you the link of my test subdomain link to see the error your self.
 

Attachments

ecartz

Member
Oct 23, 2021
10
4
3
United States
cPanel Access Level
Root Administrator
1. Q. is there an another way to prevent the server from showing the project files if the python app been stopped by the user or by some error?
1. Turn off Indexes in Options: How do I disable directory browsing?
2. Put the files that require security in a subdirectory and use either .htaccess or a Directory block in httpd.conf to execute something like
Code:
<Files *>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>

  <IfModule !mod_authz_core.c>
    Order Deny,Allow
    Deny from all
  </IfModule>
</Files>
So files in that subdirectory are not directly accessible via the web but can only be included/imported.
3. OR, put the files that require security outside the web root.

These solutions are not specific to Python code nor cPanel. Moving outside the web root isn't even specific to Apache.