opengamepanel / ogp-agent-linux Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v2.0
License: GNU General Public License v2.0
Hi!
I've found three instances of a potential security vulnerability in your codebase. In these three files, user-input is provided via the $_GET
query-parameter and is used with file_get_contents
. This triggers a network request to the passed URL. Since there is no filter or sanitization present, an attacker could trigger a network request to arbitrary targets. This is called Server-Side-Request Forgery (SSRF):
OGP-Agent-Linux//IspConfig/sites_ftp_user_delete.php
Lines 10 to 11 in 6352f50
OGP-Agent-Linux/IspConfig/sites_ftp_user_update.php
Lines 11 to 12 in 6352f50
OGP-Agent-Linux/IspConfig/sites_ftp_user_get.php
Lines 10 to 11 in 6352f50
SSRF can be used to exploit the local system, gain privileges and much more, depending on the deployment. Check out e.g. OWASP' material on SSRF for more information: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
Let me know if you have any questions!
Hi,
The update to run the game servers under different users lead to issue with the game server files permissions.
OS Ubuntu 22.04 - PHP 8.1 / latest OGP version as of today 21 April 2023.
1- Create "Multi Theft Auto" game server.
2- Use the option (Rsync Instal).
3- At this point all of the game server files have the owner and group permissions set to "ogp_agent ogp_agent".
4- Files can be edited, renamed, moved, deleted using File Manager.
5- Start the game server.
6- Check the game server files owner and group permissions, they are mixed to "gamehome1 gamehome1" and "gamehome1 ogp_agent":
Files with "gamehome1 gamehome1" can't be edited with the displayed error "Failed to write file to remote server.", files with permissions "gamehome1 ogp_agent" can be edited without issue.
7- Restart the game server, the permissions will be switched to "gamehome1 ogp_agent".
8- Any files that are created by the game server process will have the permissions "gamehome1 gamehome1" which cannot be edited, renamed, moved, deleted using File Manager until the game server is restarted.
When running the agent and looking in the screen session I see the following errors.
cat: /home/Red/OGP/Cfg/Config.pm: No such file or directory INFO: Located curl: /usr/bin/curl INFO: Located unzip: /usr/bin/unzip cat: /home/Red/OGP/Cfg/Config.pm: No such file or directory Updating agent using curl. Fixing permissions... Cleaning up... sed: can't read /home/Red/OGP/Cfg/Config.pm: No such file or directory Agent updated successfully. Agent will auto-restart if there is a crash. Can't locate Cfg/Config.pm in @INC (you may need to install the Cfg::Config module) (@INC contains: /home/Red/OGP /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base .) at /home/Red/OGP/ogp_agent.pl line 35. BEGIN failed--compilation aborted at /home/Red/OGP/ogp_agent.pl line 35. Fri Jun 2 13:31:43 CEST 2017: Agent restart in 10 seconds
Should this file be made by hand?
You can add rage mp lgsl?
User reported that installing OGP on latest Debian is not working without user intervention because of the typical package rename/substitution on later Debian version. User requested to add updated installation procedure for latest Debian version.
forum thread here: https://opengamepanel.org/forum/viewthread.php?thread_id=8119&pid=41818#post_41817
Hey,
In my network layer I allowed all ports to my IP of the web server. However, I'm still unable to restart my ogp agent and it shows offline.
It comes up as I just now opened port 443 in agent (not sure)
Could someone pls point why is this so even after all traffic from my web server is already being accepted ?
In my firewall which all ports shall I open for proper functioning of OPEN GAME PANEL? The agent and website are on same system so I'm using localhost
Getting this error in update panel :
Unable to download : https://github.com/OpenGamePanel/OGP-Website/commits/master.atom
Unable to update: String could not be parsed as XML
And in extras no modules and nothing is shown.
Update GameQ to latest version
As title says, GitHub wiki is missing the WINE information provided here https://sourceforge.net/p/hldstart/wiki/Installation%20Notes/#running-windows-based-game-servers-on-linuxtm-using-wine
I guess it would be better if everything was imported here.
It is also missing the WHMCS mod. https://sourceforge.net/projects/ogpextras/files/Mods/
The executable file isn't locked if the option "Install/Update manually" was used.
After the update I cannot access the home folders, reinstall the agent and after a few minutes the problem appears again.
I use Ubuntu 14.
The installation is pretty intuitive, but i could be great to add a little tutorial, can i send a Pull Request ?
If the running user shell is set to: /usr/sbin/nologin server init script wont work. I had to add -s /bin/bash to this line:
to get the OGP running.
When OGP try to stop a crashed server using rcon2 for some reason the agent never proceed to use kill -15 to stop the server.
Looks like HL2.pm is returning something that the agent does not know how to deal with as nothing after $rcon2->run($rconCommand);
will run.
To reproduce you only need to start a Gmod server with a map that does not exist and it will hang while starting. If you use OGP's stop button nothing will happen.
If someone that knows perl well can help me running HL2.pm manually to get it's output I can try to debug that.
AMXX on counter-strike servers, a user can see, modify and delete folders outside their default directory, for example, a script can be used in this way (rm ../../../../../usr/share/ogp_agent) and delete another HOME outside your user and my question: you can separate permissions of servers per user,
so block at all costs that the server itself has access to another route over your default HOME.
I noticed the LGSL protocol file for Agent php-query/lgsl/lgsl_protocol.php is like a really old version. I don't think I ever used it but isn't it supposed to be a copy of the one the website uses to keep compatibility with game servers? (I think this is used when you disable remote query from Panel, it uses this local query files)
It is the same with GameQ protocol files.
Hello
I restarted my server after many months and OGP Agent just stopped working. Is it caused by an update?
It worked well for more than a year.
ogpbot@s1:~$ bash ogp_agent_run
1006
INFO: Located curl: /usr/bin/curl
INFO: Located unzip: /usr/bin/unzip
The agent is up to date.
systemd detected as the init system with a directory of /lib/systemd/system.
Agent will auto-restart if there is a crash.
syntax error at /home/ogpbot/Cfg/Preferences.pm line 9, near "linux_user_per_game_server"
Compilation failed in require at /home/ogpbot/ogp_agent.pl line 36.
BEGIN failed--compilation aborted at /home/ogpbot/ogp_agent.pl line 36.
Wed Nov 2 22:48:00 CET 2022: Agent restart in 10 seconds
This is the file:
screen_log_local => '1',
delete_logs_after => '30',
ogp_manages_ftp => '1',
ftp_method => 'proftpd',
ogp_autorestart_server => '1',
protocol_shutdown_waittime => '10',
proftpd_conf_path => '/etc/proftpd'
linux_user_per_game_server => '1',
);
And the line:
linux_user_per_game_server => '1',
Please help me to get my gameservers working again!
Thank you for help!
Edit:
I also opened a thread on OGP Forum before: https://opengamepanel.org/forum/viewthread.php?thread_id=7979&pid=41344
I will update both posts when I get answers,
As title says, when you change the mod key name in the XML file for a game server, then you click the UPDATE CONFIGS button, the mod key isn't updated in the database ogp_config_mods table, leading in an error in different Panel pages (for sur the Update with SteamCMD page for example, where it does not find the given mod key from database).
Ticking the box Reset Old Configs and clicking Update Configs button will fix it as it will wipe everything then re add each XML files with appropriate content.
But I think this is a bug, and it should maybe update the table ogp_config_mods when you just click Update Configs button.
As Rocco changed the mod keys in different XML files recently, users start to have problems regarding this http://www.opengamepanel.org/forum/viewthread.php?thread_id=4137&rowstart=140#post_29400
Apparently MultiTheftAuto servers got the screenlog/logs_backup filled with weird characters
�[23B�[m��[39;49m�[37m�[40m�[H�[C�[0;1m��[34m�[47m-
https://prnt.sc/hdngkj
https://prnt.sc/hdngql
It's just useless characters that consume the server disk space, and to make things worst the log are duplicate three times:
/home/ogp_agent/OGP_User_Files/3/logs_backup/2210117_2h52m1s.log
/usr/share/ogp_agent/screenlogs/screenlog.OGP_HOME_000000003
/usr/share/ogp_agent/screenlogs/home_id_3/2210117_2h52m1s.log
Using Ubuntu 16 / Easy Installer.
Addon installs correctly works with small zip file, it auto extracts no problem.
Addon should auto extract the addon big zip file too (more than 4GB) after download but it doesn't.
Investigating currently.. opened as placeholder for now.
Problem seems to be that Perl Archive::Extract doesn't work with Zip64 files, and fails to locate the unzip binary for the fallback method.
The SRCDS process will restart every time you hit stop, even manually killing it means it'll restart.
Steps to reproduce:
Install Garry's Mod Dedicated Server
Set map to unknownmap
Likely impacts Windows agent also.
The only fix I found was to reboot the entire machine or stopping the services and then SRCDS.
Image: http://i.imgur.com/c13W4nB.png
There is a tmp folder, why doesn't use it and why can not just remove once it finished the update process?
Hello everyone,
That is not a real issue, more a feature request.
I am running a Garry's Mod Dedicated Server on OGP.
Some of my addons installed on the server need a proper shutdown sequence to ensure no errors or file loss happens. For now I need to type "quit" into the console to shut it down properly and after around 5 seconds I terminate the screen session using the stop button on the panel.
Now, is it possible to create like a third option which properly shuts the server down and then kills the session afterwards?
I've experienced problems releated to a forced shutdown on Minecraft servers as well.
Hello maintainer(s),
I am a security researcher from the Institute of Application Security at TU Braunschweig, Germany. We discovered a (potential) security vulnerability in your project.
We would like to report this vulnerability to you in a responsible and ethical manner.
Therefore, we do not want to disclose any details of the vulnerability publicly until you have had a chance to review and fix it.
Could you please let us know your prefered way of receiving security reports?
You can contact us at [email protected] or by replying to this issue.
Thank you for your attention and cooperation.
As title says, the Process Monitor in Dashboard module does not reflect the real time CPU usage, because it uses 'ps' and this is the way it works.
I tried to find some viable native alternative on Linux, and found that we may be able to achieve kinda the same thing as it currently does, but with accurate results for CPU usage by changing ogp_agent.pl line 3836
from $taskList{'task'} = encode_base64(`ps -Ao user,pid,pcpu,pmem,comm,args --sort=-pcpu | head -n 30`);
to $taskList{'task'} = encode_base64(`top -b -c -i -o +%CPU -w512 -n1|grep "COMMAND" -A 30`);
Unfortunately top is not very friendly when it comes to customization, but I think it would be better this way.
What do you think guys? Do you know any alternative to do what it currently does (list processes resources usage and informations, and sorting them by CPU usage) without adding extra packages to OGP install?
Will you add support to open.mp? It's basically SA-MP but better.
Thanks.
I've a ftp made other than that of ogp's.. The agent again and again resets that ftp which has access over everything and disallows it to see cs files in ogp user files folder/6/
New Task list is not sorted by CPU usage and contains the whole machine process list. The command we had before was doing that.
edit: also, it was not working properly with ps when we tried long time ago, as it was giving different output that what htop or top would show. Please fix and bring relevant process list show the most resource intensive processes and sort them, and exclude irrelevant processes by limiting the number of line output like before (25 lines).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.