security issue: Python app creshed and project base code are been show to the public

[MrAli]

Hi

i got a Python app that is running on an add-on domain, But some how the python app was killed and my project files are been exposed to the public,
including the credentials of project database.


a quick fix, i added an index.html to the project folder, to prevent the server from showing my project files.

1. Q. is there an another way to prevent the server from showing the project files if the python app been stopped by the user or by some error?

2. can you add a warring to https://docs.cpanel.net/knowledge-base/web-services/how-to-install-a-python-wsgi-application/ so the user can
be aware of risk of exposure of his project folder to the world.

 

[cPRex]

Hey there! As mentioned on that page, our support for they Python tools is *extremely* limited, as we don't offer any technical support for those tools. My only recommendation would be to setup the test application as outlined on the page and see if you can reproduce the odd behavior with the code being shown to the public. If that's the case with that, and you can provide me with reproduction steps on how you achieved that, I can get a warning added. But in general, we're pretty hands-off with those tools.

 

[MrAli]

1. create python app ( python 3.9.12 because python 3.10 not supported yet by cloudlinux and litespeed )
Application root = django_test
Application URL = django_test.domain.ltd
Application startup file = passenger_wsgi.py
Application Entry point = application


2. in terminal:
$ source /home/user/virtualenv/django_test/3.9/bin/activate && cd /home/user/django_test
$ pip install django
$ django-admin startproject myapp ~/django_test

3. edit django_test/passenger_wsgi.py delete all and keep this line:
from myapp.wsgi import application

4. Edit the myapp/settings.py file. search for allowed_hosts and change it to:
ALLOWED_HOSTS = ['*']

5. point the subdomain or the add-on domain to the same "/django_test" # my error!

6. restart the app.


now if you stop the python app then the subdomain well take control and show the code to the world.

of course pointing the "Application root" and subdomain "Document Root" to the same folder in our case (/django_test ) is 100% user error.


p.s: if you like i can P.M you the link of my test subdomain link to see the error your self.

 

[ecartz]

1. Q. is there an another way to prevent the server from showing the project files if the python app been stopped by the user or by some error?

1. Turn off Indexes in Options: How do I disable directory browsing?
2. Put the files that require security in a subdirectory and use either .htaccess or a Directory block in httpd.conf to execute something like

<Files *>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>

  <IfModule !mod_authz_core.c>
    Order Deny,Allow
    Deny from all
  </IfModule>
</Files>

So files in that subdirectory are not directly accessible via the web but can only be included/imported.
3. OR, put the files that require security outside the web root.

These solutions are not specific to Python code nor cPanel. Moving outside the web root isn't even specific to Apache.