Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

The security trainwreck that is ZPanel

The security trainwreck that is ZPanel

joepie91joepie91 Member, Provider
edited May 2013 in General

Yup, another ZPanel thread. Why? To give a nice summary of the atrocious security history of ZPanel. The dates may be approximations, I do not keep specific track of these events. Additionally, quite a few things will be missing - I've only listed the events that I've run across.

  • August 12 2012, numerous vulnerabilities are fixed, one of which can be found here, after a supposed 'security audit' by 'WebSec'.

  • August 12 2012, I have an argument with motters, one of the ZPanel developers, in the LowEndBox IRC channel. motters challenged me to find a vulnerability in ZPanel, after I claimed that their messy code style would produce vulnerabilities that they'd overlook.

  • August 12-13 2012, a few minutes later, I report a vulnerability that allows anyone to reset the administrator password on a ZPanel installation to an arbitrary value, without any authentication whatsoever. The vulnerability is fixed, with what seems like an attempt at insulting me. Note that their "professional security firm WebSec" completely overlooked this blatant and fatal vulnerability, while it took me literally 5 minutes to find.

  • August 15-16 2012, I inform the ZPanel developers of multiple remote code execution vulnerabilities in their 'templater', and submit a patch for a part of them. I warn the developers that the templater will still allow code execution that could potentially be disastrous when combined with zsudo due to the poor design of the templater (using eval(), and letting resellers set custom templates). The lead developer laughs off this warning, tells me that "that's how a templater is supposed to work in PHP", and says that a real templater may be written later, but that it is not a priority and not planned. Again, WebSec has overlooked the issue.

At this point, had I not reported any of these vulnerabilities, I would have been able to combine the administrator password reset vulnerability with the remote root vulnerability and a Google dork. I could have gained instant root on every single ZPanel server in the world, without issues, fully automated, in a matter of minutes. Just to put into perspective what their "professional security firm" missed.

  • November 10 2012, Bobby Allen, the lead developer, posts on the ZPanel forums, claiming that the 'insufficient entropy' vulnerability is "bollocks", and that "CSFR [sic] protection is not necessary, because the backend code authenticates the session". Seeing as insufficient entropy can significantly increase the chance of key guessing, and the whole point of a CSRF attack is to use an already authenticated session, it is clear that Bobby has no idea what he's talking about on both counts, but refuses to admit as much. Furthermore, his attempts at justifying the vulnerabilities inspire a false confidence in users that the software is safe to use.

  • April 17 2013, I make a full-disclosure post on the ZPanel root escalation and command execution vulnerability, after having waited for it to be fixed for 8 months. There is no response from the ZPanel developers, at all, whatsoever.

  • May 10 2013 (today!), almost a month later, there is still no response from the ZPanel team. They have not responded to the full-disclosure post, there is no post on their forums, no announcement on their website, and most importantly, no patch. The codebase is still vulnerable, and it doesn't seem like there will be any effort to fix it, any time soon.


I really don't care that ZPanel is a free or even open-source project; that is not a valid excuse. The reality is that the ZPanel development team, in particular Bobby Allen, is acting highly irresponsible. He is putting hundreds, if not thousands of servers at risk, simply because he does not wish to admit that there are security problems and that they need fixing.

I have heard every excuse under the sun from the development team. "We do this in our free time!", "It's an open-source project...", "Well, it's free!", "That's not really a vulnerability, people won't think to look there...", and so on. I really don't care. ZPanel developers, fix your shit. You have released ZPanel to the world and are promoting it as a professional panel, so give up your "hobby project" attitude. You can't have both. Either include a big fat disclaimer that ZPanel is known to be insecure, and it's a hobby project... or make it secure.

In the meantime, I would advise everyone to stay far far away from anything running ZPanel. The developers do not care about your security.

Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

Tagged:

Comments

  • jarlandjarland Administrator

    Got KloxoMR working and its my recommendation to clients for this week.

    Thanked by 1linuxthefish
  • seriesnseriesn Member, Provider

    @jarland said: KloxoMR

    ISPconfig, if not, webmin or foxlor FTW

  • joepie91joepie91 Member, Provider

    Just noticed that the ZPanel website frontpage now actually claims 'secure'...

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • shovenoseshovenose Member, Provider

    "a secure, web hosting system" hahahahahahahahahahahahahhahahahahahahahahahahahahahahahahahahaha

  • LeeLee Member

    @joepie91 said: Yup, another ZPanel thread. Why?

    +1

    Useful info.

    When you are dead, you do not know you are dead. It's only painful and difficult for others. The same applies when you are stupid.

  • This is the main reason why I like to administer everything on my servers via SSH and not use a panel.

    Happy RamNode customer since December 2012, lurking LEB since forever

  • @PenguinManifesto said: via SSH

    +2

  • Use Kloxo-MR...

    ServerBorneo.Com - My VPS Journey

  • DestroyeRCoDestroyeRCo Member
    edited May 2013
  • @DestroyeRCo: Leave SSH on port 22 while using passwords and not keys? I too like to live dangerously.

    Catalyst Host - Pie Approved!
    Thanked by 3Infinity mikho GM2015
  • FreekFreek Member

    I love ZPanel. It comes pre-installed with an open proxy on port 80. 'It's not a bug, it's a feature'. ZPanel devs should be ashamed. Their 'support' forum has dozens and dozens of questions that are unanswered. Also you cannot deinstall ZPanel, you have to reinstall your whole server.

    Linux noob willing to learn.

  • @HalfEatenPie said: I too like to live dangerously

    Vivere pericoloso :P

    The more I learn stuff, the more I realize how bloody f*****ng stupid I am ...

  • @HalfEatenPie said: Leave SSH on port 22 while using passwords and not keys? I too like to live dangerously.

    Passwords are just fine.

  • joepie91joepie91 Member, Provider

    @ShardHost said: Passwords are just fine.

    You were joking, right?

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • IntcsIntcs Member
    edited May 2013

    @shovenose said: "a secure, web hosting system"
    hahahahahahahahahahahahahhahahahahahahahahahahahahahahahahahahaha

    That announcement looks vague, as to whether being a "system", or "panel", or "security system" :)

    Please beware that his parents are now using the membership to post for their own, together with our precious son..

  • RaymiiRaymii Member

    @ShardHost said: Passwords are just fine.

    passwords? my root account doens't have one, I find it convenient to just ssh [email protected] and don't have to do anything else...

    @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
    Thanked by 1GM2015
  • @Raymii said: @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Good idea :P

    The more I learn stuff, the more I realize how bloody f*****ng stupid I am ...

  • @Raymii said: passwords? my root account doens't have one, I find it convenient to just ssh [email protected] and don't have to do anything else...

    I use sudo on all my ubuntu servers. If my SSH key ever gets compromised, they still can't become root without my (strong) password.

    I recommend Prometeus, the best provider ever! | Get your IP at getmyip.ninja
    Check out my blog at mpkossen.com

  • NexusNexus Member

    Looks like you had enough of them. It also looks like you were trying to help them with code or whatnot, I guess they don't care. Now it's time to find a vulnerability and never tell anyone about it (if u havn't already), and do the deed....

    @Raymii said: @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Yeah, 100% agree. Looks like they don't care about anyone trying to help them.

    D4jsp - Where virgins roam free
  • joepie91joepie91 Member, Provider

    @Raymii said: @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Sounds like a good way to get arrested.

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

    Thanked by 2Roph GM2015
  • vanarpvanarp Member

    @joepie91 is doing the right thing. I appreciate he warning the LET folks about the vulnerabilities.

    Happy with ssd vps hosting. Now my sites load like they are hosted next door.

  • vanarpvanarp Member

    how about someone active on ycombinator posting it there?

    Happy with ssd vps hosting. Now my sites load like they are hosted next door.

  • RaymiiRaymii Member

    @joepie91 said: Sounds like a good way to get arrested.

    You and I both know that you know how to hide your online activities.

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
    Thanked by 1GM2015
  • joepie91joepie91 Member, Provider

    @Raymii said: You and I both know that you know how to hide your online activities.

    Even the best technical anonymity won't save your ass if you have just publicly posted information about vulnerabilities, and people have egged you on (under a known identity) to go ahead and do something with it :)

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

    Thanked by 1GM2015
  • RaymiiRaymii Member

    @joepie91 said: Even the best technical anonymity won't save your ass if you have just publicly posted information about vulnerabilities, and people have egged you on (under a known identity) to go ahead and do something with it :)

    You have a valid point there... But still, you should slap them...

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • NoermanNoerman Member

    @Raymii said: You have a valid point there... But still, you should slap them...

    I believe he already did it, kudos for @joepie91

    Get Backup / Storage VPS (40% Off Discount: 40PERCENT) | OpenVZ & KVM (Fully Managed) / Shared & Reseller (Free Dedicated IP) | $3 Reseller (50% Off Discount: letbestreselleroffer), Low latency to EU, US and Asia Optimized (affiliate links)

  • I think we've learned an important lesson here. Don't mess with @joepie91

    This signature is brought to you by the NSA. Spying on the entire world since 1952!

  • houliafrhouliafr Member
    edited June 2013

    I've tried to post this to the zpanel forum, but they censored this: I think you missed yet another vulnerability regarding zsudo. I'm not a user of zpanel myself, but as far as I understand their website the idea is to use it to configure accounts for end-users. These end users do not have to have access to zpanel to exploit the zsudo binary. Since zsudo is installed suid world executable and does not do any authentication, anyone with the ability to execute anything on the server has root effectively. There are various ways to execute a binary, e.g. system() from PHP, the .forward file or procmail from Postfix, …

  • axtuxaxtux Member

    Thanks for this post. I just started to admin my server some months ago because shared hosting became not enough for me. I'm learning how to maintain a server and I had set up zpanel because I needed fast availability but I think I will install the server again.

    What would you advise as open source panel ? I saw ISPConfig, is it secure enough ? What about webmin ? Also, do you have some advice/text on server security ?

  • joepie91joepie91 Member, Provider

    @axtux said: Thanks for this post. I just started to admin my server some months ago because shared hosting became not enough for me. I'm learning how to maintain a server and I had set up zpanel because I needed fast availability but I think I will install the server again.

    What would you advise as open source panel ? I saw ISPConfig, is it secure enough ? What about webmin ? Also, do you have some advice/text on server security ?

    As far as I am aware, both ISPConfig and Webmin have experienced security issues in the past, but both have responded to them appropriately.

    As for server security advice, if you don't absolutely need a control panel (read: you're not running shared hosting), just use SSH with keypair authentication to manage your things and don't install a panel. A good easily configurable alternative to Apache is lighttpd - you could also go with nginx, but the configuration is slightly trickier if you want to use PHP and such.

    Here's a starter guide on setting up lighttpd + PHP + MySQL on Debian (also applies to newer versions of Debian than Etch, except the MySQL listening settings will be correct out of the box): http://www.howtoforge.com/lighttpd_mysql_php_debian_etch

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

    Thanked by 1GM2015
  • axtuxaxtux Member

    Yes I know I don't need a panel but it is a good transition to dedicated servers for me. I think I'll have a try with ISPConfig. My SSH auth is done with keys.

    I heard about nginx but I'm wondering if it would be really reliable as a permanent solution. Cannot newer Apache versions (with good config) show similar performance ? Or is it about security ? I think if Google and OVH are both using Apache, it is not a coincidence. Also, I'll make an open hebergement as legtux and if all users know LAMP, they could be less familiar with nginx.

  • Nginx is MUCH better than apache in low-RAM environments. Try using Neon, http://www.neonpanel.com, which while it's still under development, is free, open-source, and is mostly complete. And it used Nginx!

    BlueVM | Best VPS Deals [~] 1GBPS, RAID-10, OpenVZ/KVM, 8 locations. [~] Feathur VPS Control Panel!
  • joepie91joepie91 Member, Provider

    @axtux said: Yes I know I don't need a panel but it is a good transition to dedicated servers for me. I think I'll have a try with ISPConfig. My SSH auth is done with keys.

    I heard about nginx but I'm wondering if it would be really reliable as a permanent solution.

    I don't see why not. It's a very commonly used HTTPd in production environments, and probably more reliable than Apache.

    Cannot newer Apache versions (with good config) show similar performance ?

    I have yet to see an Apache setup that provides similar performance to nginx/lighttpd on a similar amount of resources, and that didn't require an unreasonable amount of configuration to do so.

    Or is it about security ?

    There are many more issues with Apache than there are with nginx and lighttpd.

    I think if Google

    Google doesn't use Apache. Google uses Google Web Server, a custom HTTPd.

    and OVH are both using Apache, it is not a coincidence.

    OVH has a giant amount of (cheap) resources at their disposal. That they are using Apache says nothing about Apache itself.

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • marcmmarcm Member

    I have yet to see an Apache setup that provides similar performance to nginx/lighttpd on a similar amount of resources, and that didn't require an unreasonable amount of configuration to do so.

    @joepie91 just the fact that we run Nginx 1.4 in front of Apache on our cPanel servers, and there is a noticeable performance improvement, speaks volumes about how good Nginx is :)

  • https://www.facebook.com/ZpanelCP/posts/564520533598379?comment_id=5580551

    @joepie91 I think you need to see this :)

    Yeah thank-you. This guy has reported nothing new to us. And he's wrong on all accounts with his attitude towards our product. There are no Security Issues with our software. Our 3 Developers have checked and double checked the code and there are no issues.

    CentrioHost LLC - Reliable Shared and Multilevel Reseller Hosting Provider since 2007
    15$/yr. SSD Hosting | Free Domain Reseller | SSL Certificates | More ...

  • @joepie91 If you found leak on ZPanel why not you go for ZPanel Zero Days?

    CentrioHost LLC - Reliable Shared and Multilevel Reseller Hosting Provider since 2007
    15$/yr. SSD Hosting | Free Domain Reseller | SSL Certificates | More ...

  • marcmmarcm Member

    @CentrioHost The Nile is not just a river in Egypt, it's also known as "denial", or a new way of conducting business. In other words if no catastrophe has occurred yet, everything must be just peachy!

    Btw., I love your signature :P ... and to think that I was worried about mine, lol.

  • MitsuhashiMitsuhashi Member
    edited July 2013

    How vulnerable do you see ZPanel being for a single user (a.k.a. not-a-web-host)? As a web server noob, I've found it head-over-heels easier to use with near-flawless autoinstallation. Tried cPanel/WHM trial, Webuzo, Webmin/Virtualmin as well, but I keep coming back to ZPanel because it just freaking works from the get-go and takes up a very reasonable amount of resources. I definitely see that WHM and Webmin are more powerful, but Webmin is way too techie for the newbie while WHM is fat + attracts a stupid amount of bruteforce attempts. Webuzo is nice and simple but has too many dealbreaking bugs at the moment.

    Meanwhile, my ZPanel and its single forum are running along smoothly at Port 80 with nobody other than me and Google visiting.

    I'm really talented at telling SolusVM to reinstall my OS. I can help you do it, too, for absolutely fee.

  • marcmmarcm Member

    @Mitsuhashi have you tried ISPConfig? If you haven't you should know that you're missing out on allot of fun. Btw. it can also manage OpenVZ containers...

  • @marcm I've looked at screenshots but haven't tried installing it. Is it noob-friendly?

    I'm really talented at telling SolusVM to reinstall my OS. I can help you do it, too, for absolutely fee.

  • @CentrioHost said: https://www.facebook.com/ZpanelCP/posts/564520533598379?comment_id=5580551

    joepie91 I think you need to see this :)

    Yeah thank-you. This guy has reported nothing new to us. And he's wrong on all accounts with his attitude towards our product. There are no Security Issues with our software. Our 3 Developers have checked and double checked the code and there are no issues.

    I just had to respond there. They are not only ignorant to community feedback but they were also extremely rude towards joepie91. This was my response (my experience is that some of comments are removed):

    There are security issues with your product. I'm not sure who "you" are, but there was a guy on your forums (one of the developers I believe) that was extremely rude to joepie91 only because he wanted to help and indicate some security issues with your product. I confirmed the initial post there and at the time of the post it was indeed possible to completely take over a ZPanel server by uploading a malicious template. I'm not sure if anything has changed since, but there was really no denying there was a security issue at that time. I don't know of any other issues myself (haven't check), but I confirmed the template one.

    I recommend Prometeus, the best provider ever! | Get your IP at getmyip.ninja
    Check out my blog at mpkossen.com

  • CentrioHostCentrioHost Member
    edited July 2013

    I'm running several ZPanel servers at this moment. Only 3 things can make ZPanel secure:

    1. Admin > Module Admin > Protect Directories > Disabled
    2. Admin > Module Admin > Theme Manager > Uncheck for "Reseller" and "Users"
    3. Change SSH Port to something else.

    I really don't think anything else right now required / causes panic...

    CentrioHost LLC - Reliable Shared and Multilevel Reseller Hosting Provider since 2007
    15$/yr. SSD Hosting | Free Domain Reseller | SSL Certificates | More ...

  • Joepie91 is just a hater of our product

    okay they just convinced me to use cPanel instead

  • twaintwain Member

    @axtux, ispconfig is great, and is also a super easy way to set IP a master slave dns cluster with a nice Web interface for mgmt. I have an ispconfig master plus two ispconfig dns slaves (running on 256M lebs)

  • @marcm @twain Tried the ISPConfig demo, and it looks great! We'll have to see if I can get everything to work, though.

    I'm really talented at telling SolusVM to reinstall my OS. I can help you do it, too, for absolutely fee.

  • joepie91joepie91 Member, Provider
    edited July 2013

    @CentrioHost said: https://www.facebook.com/ZpanelCP/posts/564520533598379?comment_id=5580551

    joepie91 I think you need to see this :)

    Yeah thank-you. This guy has reported nothing new to us. And he's wrong on all accounts with his attitude towards our product. There are no Security Issues with our software. Our 3 Developers have checked and double checked the code and there are no issues.

    Sorry, not buying it. Previously, the guy that controlled the Facebook page (or at least, the one that was posting on it constantly just happened to be the same 'support team member' that lost his shit (ie. ps2guy). He also just happened to have the same writing style as the guy writing those comments you just linked to.

    @CentrioHost said: joepie91 If you found leak on ZPanel why not you go for ZPanel Zero Days?

    Hm?

    @CentrioHost said: I'm running several ZPanel servers at this moment. Only 3 things can make ZPanel secure:

    1. Admin > Module Admin > Protect Directories > Disabled
    2. Admin > Module Admin > Theme Manager > Uncheck for "Reseller" and "Users"
    3. Change SSH Port to something else.

    I really don't think anything else right now required / causes panic...

    There are probably many more issues in it. They just haven't been uncovered yet.

    EDIT: Sidenote, if you wish to ignore all that I said and use ZPanel anyway, then by all means go ahead. But realize that you're putting yourself at risk, and I'm not going to help you out when you get owned. This doesn't just apply to @CentrioHost, it's a general statement aimed at everybody that has been trying to wave away my warnings so far.

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • netomxnetomx Member

    Do you recommend Webmin @joepie91 ?

  • @joepie91 said: There are probably many more issues in it. They just haven't been uncovered yet.

    Could be, right now not advised to use any 3rd party modules along with my 3 recommendations...

    CentrioHost LLC - Reliable Shared and Multilevel Reseller Hosting Provider since 2007
    15$/yr. SSD Hosting | Free Domain Reseller | SSL Certificates | More ...

Sign In or Register to comment.