Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Latest Security Analysis of Alternative Web Hosting Control Panels by Rack911
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Latest Security Analysis of Alternative Web Hosting Control Panels by Rack911

    Security Analysis of Alternative Control Panels

    I am not surprised by the results. So those looking for free alternative to paid control panels, keep in mind that they can pose some threats also.

    «1

    Comments

    • Ooh! APNSCP actually did a pretty good job there! Good job @nem! :)

    • nemnem Member

      Not a bad showing for coming out of the woodwork after 17 years :wink:

    • Congratulations @nem. Fantastic showing. Security is priceless and I hope more people use your solid piece of work.

      Avoid scams and stay updated with legitimate great deals: LowEndBoxes Review | The LEBRE Whitelist of non-scammy lowend hosts | Join the #lexit party sans LEB scams.

    • deankdeank Member

      When something has more holes than VestaCP..., you know your stuff is shitta.

      Select few always have issues.

    • rack911rack911 Member
      edited November 3

      Important to note, that these were not 'full' audits. Just a once through. We'll revisit each one in more depth at a later time but this should offer a good baseline to the quality of each product.

    • AlwaysSkintAlwaysSkint Member
      edited November 3

      @deank said:
      When something has more holes than VestaCP..., you know your stuff is shitta.

      Interesting that VestaCP only shows 3 vulnerabilities yet marked down severely for not communicating properly. As for CWP, 'support' is distinctly lacking which is a real shame for what is IMHO, the best (nearly intuitive) of the (bad) bunch.

      Many thanks @rack911

      (Is webmin, without usermin/virtualmin, seen as a reasonable option?)

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • jsgjsg Member

      I'll wait for the real analysis, because this one is more like "let's shake the tree and see what falls down".
      One thumbs up though for also looking at and mentioning the attitude, type of reaction, and speed of reaction of the developers.

    • @nem said:
      Not a bad showing for coming out of the woodwork after 17 years :wink:

      It's the comms./responsiveness that makes the real difference. :smile:

      Thanked by 2nem ITLabs

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • I'm interested to see a MyVestaCP fork security audit. At least such "preliminary" one.

      Mostly harmless™

      I/O Gremlin

    • ViridWebViridWeb Member
      edited November 3

      Well you agree or not.. No one can beat cPanel.. at least till now.
      Maybe that's why they have increase the pricing..

      Directadmin is really good but still can't match with cPanel..

      Sorry if anyone offended..

      VIRIDWEB - Dedicated Servers / KVM VPS / Shared Hosting / Remote Management / Windows & Linux / Unmetered Bandwidth
      CIN: U72900WB2018OPC226882 | GST: 19AAGCV4976R1Z4

    • cazrzcazrz Member

      @rack911 said:
      Important to note, that these were not 'full' audits. Just a once through. We'll revisit each one in more depth at a later time but this should offer a good baseline to the quality of each product.

      It will be good to see also the audit on CP, DA, Plesk and Interworx

      Thanked by 1Amitz
    • AmitzAmitz Member

      @ViridWeb said:
      Sorry if anyone offended..

      All good. I will get over it one day. Don't feel guilty because of me.

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • @AlwaysSkint said:

      @deank said:
      When something has more holes than VestaCP..., you know your stuff is shitta.

      Interesting that VestaCP only shows 3 vulnerabilities yet marked down severely for not communicating properly. As for CWP, 'support' is distinctly lacking which is a real shame for what is IMHO, the best (nearly intuitive) of the (bad) bunch.

      Many thanks @rack911

      (Is webmin, without usermin/virtualmin, seen as a reasonable option?)

      The people behind CWP are frustrating.

      They emailed us a while back requesting Skype. I said look, we're too busy to talk over Skype so just find us on Slack or email us. No reply. Sent them another email the other day requesting an update and then today, they finally get back to us saying their delay is because they have been waiting to talk to us.

      They have been given MONTHS to get their stuff in order and apparently instead of emailing us questions they have just been sitting there waiting...

      Thanked by 1AlwaysSkint

      Patrick / RACK911 Labs

      https://HostingSecList.com - Security notices for the hosting community.

    • @deank said:
      When something has more holes than VestaCP..., you know your stuff is shitta.

      We sent off at least half a dozen security flaws years ago to VestaCP which is probably why they only have a handful of flaws at the moment. (They were better at communication back then as well. Hell, I've sent them an email every month requesting updates and so far nothing... I don't understand.)

      Thanked by 2AlwaysSkint mrTom

      Patrick / RACK911 Labs

      https://HostingSecList.com - Security notices for the hosting community.

    • deankdeank Member

      It's important to note that security is often on low priority, until it's actually exploited.

      They can, then, make a formal apology and enjoy extra attention they get.
      This is a result of a society that rewards failures.

      Thanked by 2hostdare dedipromo

      Select few always have issues.

    • cazrzcazrz Member

      @SecNinja said:

      @deank said:
      When something has more holes than VestaCP..., you know your stuff is shitta.

      We sent off at least half a dozen security flaws years ago to VestaCP which is probably why they only have a handful of flaws at the moment. (They were better at communication back then as well. Hell, I've sent them an email every month requesting updates and so far nothing... I don't understand.)

      Maybe I think its because they already have hired a security audit company IIRC.

    • AnthonySmithAnthonySmith Top Provider

      Rack911 are not cheap, if you believe for 1 second they did this work for free you are a potato.

      And if you don't know what question that actually poses, you are not even a very good quality potato.

      Had enough of the scams on lowendbox, lowendtalk is now being infiltrated by corruption so I have chosen to make an low end exit #lexit for now - you can find me HERE

    • cazrzcazrz Member

      I'm not sure if they were the ones who found the backdoor in the vestacp repo before, IIRC it was Falzo.

    • I would be interested in the full reports if this is the summary, Do have to wonder who is paying for these security analysis. I do appreciate the information they have provided but I would like a little more transparancy/disclosure from Rack911.

      If i had some tin foil to make a hat I may even begin to wonder if the company hiring Rack911 may get more favorable results.

      It's nothing but a Joncept!

    • nemnem Member

      @JustJon said:
      I would be interested in the full reports if this is the summary, Do have to wonder who is paying for these security analysis. I do appreciate the information they have provided but I would like a little more transparancy/disclosure from Rack911.

      Here’s mine with commentary. Audit report at the end.

      https://hq.apnscp.com/ap-01-ap-07-security-vulnerability-update/

      Thanked by 1dedipromo
    • SecNinjaSecNinja Member
      edited November 3

      @JustJon said:
      I would be interested in the full reports if this is the summary, Do have to wonder who is paying for these security analysis. I do appreciate the information they have provided but I would like a little more transparancy/disclosure from Rack911.

      If i had some tin foil to make a hat I may even begin to wonder if the company hiring Rack911 may get more favorable results.

      What sort of transparency do you want? If you're curious as to who has paid us:

      InterWorx (Full Audit - Last Payment 2014)
      DirectAdmin (Full Audit - Last Payment 2015)
      cPanel (Bug Bounties - Last Payment 2018)
      Plesk (Bug Bounties - Last Payment 2018)

      However, none of the panels above are ACTIVELY paying us nor has there been any sort of discussion for us to audit competitor products and make their product appear more secure. I don't think any of them even knew we were going to publish this report outside of them maybe reading about it on WHT.

      You can't even begin to imagine how much time was spent going over all of the alternative control panels for absolutely no financial benefit to our company. Those audits were done 100% to benefit the hosting community and let people make their own decisions on what panel(s) they wish to use.

      The reason we had DirectAdmin, Plesk and InterWorx at the top is simply because they are the main competitors to cPanel and we know first hand how secure they are. Nothing more than that! :)

      Edit:

      Full audit reports will be released when the developers fix the flaws. It's mind blowing that it has taken this long... but, we would not be doing anyone right if we released those reports with full exploits at the moment.

      Patrick / RACK911 Labs

      https://HostingSecList.com - Security notices for the hosting community.

    • rack911rack911 Member
      edited November 3

      No one paid for this analysis. We devote a lot of time to random security auditing and have done so since 2013. We started doing it back in 2013 for the sole benefit of the hosting community when we discovered a privilege escalation vulnerability that affected every server that had Softaculous installed, and since then have uncovered hundreds of vulnerabilities in hosting software without being paid to do so.

      To be blunt, we can afford to do work like this pro bono. As mentioned above it was not a full audit, but rather a once over of every function. The big name control panels (directadmin, plesk, interworx, cpanel) are ran over quickly every month, and have been for years.

      Thanked by 1mrTom
    • AlwaysSkintAlwaysSkint Member
      edited November 3

      @rack911 excuse the riff-raff who've not followed this from the start and/or conspirary theorists. ;-)

      Thanked by 1vimalware

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • rack911rack911 Member
      edited November 3

      @AlwaysSkint said:
      @rack911 excuse the riff-raff who've not followed this from the start. ;-)

      :)

      Some history for all of you, doubters who don't know what we do.
      http://files.rack911labs.com/public/RACK911_Labs_-_Year_In_Review-2013.pdf

      Some more history from the print copy of the now defunct TheWHIR magazine: https://i.imgur.com/K2wqjRr.jpg

      Thanked by 2AlwaysSkint nem
    • AlwaysSkintAlwaysSkint Member
      edited November 3

      Good to see DA has turned things around considerably - let's hope others can follow suit.

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • @AlwaysSkint said:
      Good to see DA has turned things around considerably.

      Things overall would have been much differently with some of these companies security wise before we started hammering on them. cPanel never had a formal security team, or bug bounties. That is something we pushed for and got. I was on a paddle boat during a cpanel conference years ago when one of the security team members told me, "we pushed for years to get a security team, it took you 6 months". The same story goes with many other companies.

    • Well there's more than me who appreciates the invaluable work done for the community. The 'exposure' alone I'm sure will stand you in good stead.

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • jsgjsg Member
      edited November 4

      @SecNinja said:
      You can't even begin to imagine how much time was spent going over all of the alternative control panels for absolutely no financial benefit to our company. Those audits were done 100% to benefit the hosting community and let people make their own decisions on what panel(s) they wish to use.

      • Well, I actually can (I'm a developer in IT security)
      • Kindly stop insulting our intelligence! OF bloody COURSE there is a benefit in it for you and that's why you show a high presence in this thread.
      • @JustJon is right asking for more information. Those panel thingies can make or break a providers business and it's certainly not illegitimate to ask for a bit more than "someone at Rack911 says so and has painted some graphics too".
      • I have a hard time to see you as impartial. You put the logos of the "good ones" right smack at the top and you offer nothing but assertions, some graphics, and some data points of usually low significance.
      • You'll provide more concrete info once the problems are solved? That's ridiculous. (a) that risks to mean "never", and (b) most of those problems are not new. Most importantly though your decision clearly suggests on whose side you really are - and it's not us, the customers/users of those panels.

      At first I stayed quite away and very polite but frankly, I take that whole thing to be mainly one thing: a marketing stunt for yourself and a few preferred panel producers.

      Trust me, I know what an analysis looks like because I do them myself. So let me suggest you switch 2 gears down and don't paternalize LET users who have valid questions ...

      P.S. And the message is? That most panel producers either don't know about security or they don't care about it anyway? How shocking. Who would have thought that! (Everyone with a working brain).

      Thanked by 1pepa65
    • nemnem Member

      As someone on the panel side who has spent a great deal pouring over panel developers' code, some get it and others don't. Some don't deduplicate, some copy and paste. Most of what Patrick pointed out was a mea culpa on my part, but something that could be easily addressed by the panel architecture. Others that don't have appropriate design and they'll sink in technical debt without significant refactoring.

      I appreciate what he's done for my business going forward. The lack of a bounds check on email domains has been withstanding for at least a decade. Knowing what to look for gave me an opportunity to take a closer look at these modules for other similar issues. Hindsight is always 20/20. Whether one does it out of charity or notoriety is still better than going through life blind.

      That being said, it's a great opportunity to one up Patrick on a second round of audits to show what he missed :smiley:

    • @rack911 said:
      No one paid for this analysis. We devote a lot of time to random security auditing and have done so since 2013. We started doing it back in 2013 for the sole benefit of the hosting community when we discovered a privilege escalation vulnerability that affected every server that had Softaculous installed, and since then have uncovered hundreds of vulnerabilities in hosting software without being paid to do so.

      To be blunt, we can afford to do work like this pro bono. As mentioned above it was not a full audit, but rather a once over of every function. The big name control panels (directadmin, plesk, interworx, cpanel) are ran over quickly every month, and have been for years.

      Is there any chance whatsoever to do the same for MyVestaCP fork of VestaCP?

      It is my understanding that MyVestaCP, unlike "the original" is being regularly patched for flaws, while, unlike Hestia (another VestaCP fork), it is also made to be as compatible with VestaCP updates as possible (requiring a minimum number of changes to the code).

      Talking about hosting community benefit - I think free open source is as good as it gets, mostly worth investing time and effort - if it is any good at all.

      Mostly harmless™

      I/O Gremlin

    • cazrzcazrz Member

      I'm still wondering why rack911 was not able to find the culprit in vestacp immediately from the issue last April 2018 IIRC. Instead it was one of the community user.

      No explanation needed really. I was just wondering, as I think rack911 was given access to the repo for further investigation.

      Free / pro bono or paid Im thankful for any of your insights. Again I was just wondering what happened on that vestacp issue. Then vestacp IIRC just hired another sec audit company ("Arcturus") instead.

    • AlwaysSkintAlwaysSkint Member
      edited November 4

      Awaiting the similar audit from @jsg :p

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • NeoonNeoon Member

      CyberPanel got busted, pretty much.
      Its a deadly combination, to forward input directly into the shell without validation.

    • .> @cazrz said:

      I'm still wondering why rack911 was not able to find the culprit in vestacp immediately from the issue last April 2018 IIRC. Instead it was one of the community user.

      No explanation needed really. I was just wondering, as I think rack911 was given access to the repo for further investigation.

      Free / pro bono or paid Im thankful for any of your insights. Again I was just wondering what happened on that vestacp issue. Then vestacp IIRC just hired another sec audit company ("Arcturus") instead.

      Alot of misinformation on the internet on this one. Vestacp never worked with us on that level. We had tried to push paid audits on them but they always declined.

    • @rack911 said:
      .> @cazrz said:

      I'm still wondering why rack911 was not able to find the culprit in vestacp immediately from the issue last April 2018 IIRC. Instead it was one of the community user.

      No explanation needed really. I was just wondering, as I think rack911 was given access to the repo for further investigation.

      Free / pro bono or paid Im thankful for any of your insights. Again I was just wondering what happened on that vestacp issue. Then vestacp IIRC just hired another sec audit company ("Arcturus") instead.

      Alot of misinformation on the internet on this one. Vestacp never worked with us on that level. We had tried to push paid audits on them but they always declined.

      I would say that this is the guy you'd want to be working with:
      https://github.com/myvesta/vesta/blob/master/README.md#myvesta-control-panel

      Mostly harmless™

      I/O Gremlin

    • myvesta seems to be good. But, they are debian only(no centos)!

      My list of reliable providers :
      Ramnode : HostHatch : Dediserve : Serverica : GBServe : OnePoundWebHosting : Vultr : Few more under testing!

    • @niceboy said:
      myvesta seems to be good. But, they are debian only(no centos)!

      And, from my understanding, currently not very good for reseller hosting setups.
      Still, it's the only free open source solution that seems to be working and for which the developer is doing all they can to keep it as good as possible (and using it on their servers).

      Would be interested in reading a security audit (and would be delighted to see more community support, it's practically a one man show for now).

      Mostly harmless™

      I/O Gremlin

    • cazrzcazrz Member

      IMHO this post is just a stunt or marketing. Traffic or for whatever purpose.

      That's just my honest opinion.

    • Regardless of the motivations, the efforts have highlighted the security aspects of the various control panels and brought it to the front of people's minds.

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • NeoonNeoon Member

      @cazrz said:
      IMHO this post is just a stunt or marketing. Traffic or for whatever purpose.

      That's just my honest opinion.

      Of course its a company, they do exist to make money.
      Even if they say, its all free and no one paid them, its likely that they get a few costumers more.

      Which may pay for the work they put into it.
      But at the end, the benefits are on booth sides.

      Not just one side, which is a fair trade as long its balanced.

      Thanked by 1niceboy
    • deankdeank Member

      Why a company trying to make money is seen as evil is beyond me.
      What do you expect a company to do?

      Thanked by 2dedipromo Clouvider

      Select few always have issues.

    • NeoonNeoon Member
      edited November 4

      @deank said:
      Why a company trying to make money is seen as evil is beyond me.
      What do you expect a company to do?

      The word "company" triggers things like "Nestle".
      Its all about https://en.wikipedia.org/wiki/Framing_effect_(psychology)

    • jvnadrjvnadr Member
      edited November 4

      Rack911 is a company. Of course, they do have some targets on auditing for free those panels. Is this because they want to push people to use paid web panels instead of free ones? Is it because they want to continue their status as one of the most known auditing companies out there? Is it because they want to help not to be spread malwares, viruses and hacked servers on the net? Or having more data on the exploits and issues on panels for gaining more info when working on a paid task?
      Maybe all of the above. But, at the end of the day, it is good having an audit company to do some checks to those panels and inform their developers.
      It would be good, of course, if those developers do respond publicly (not in LET but in their website or forum) about the issues, the audit and their actions after.
      And it would be also good if Rack911 wouldn't just write a number but also give some more info, not about the actual type of vulnerabilities but if, for example, one of the three of Vesta is a catastrophic one and non of the 15 of virtualmin is so dangerous.

      That said, if you put aside Vesta developer's attitude (that is well know), it is pretty impressive that it is the free panel with the lesser vulnerabilities, together with ispconfig.
      Impressive as the fact that virtualmin, has tons of vulnerabilities (of course, it is something that can be explained by the range of the features it has and the variety of OS can be installed to).
      As of cyberpanel? This is a surprise by the fact that since long ago, they have backed up by litespeed itself to provide a panel that promotes the paid web server... It would be interesting to see what @cyberpersons has to state for this...

      Thanked by 2bikegremlin mrTom

      • If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
      • If such a program has not crashed yet, it is waiting for a critical moment before it crashes.

    • jsgjsg Member

      @AlwaysSkint said:
      Awaiting the similar audit from @jsg :p

      Won't happen. I'm way too desinterested in panels. Also all that PHP, Python, and Perl code is much too far away from my daily life. There are other who'll do a better job on that than me.
      But still, as analyzing and verifying is an important part of my daily work I recognize when it's done well or not so well.

    • ^ I get pissed off with my neighbours too.

      Thanked by 2nem pullangcubo

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • deankdeank Member

      Devs don't need to response to the article.

      Just patch the holes. Words are cheap after all.

      Select few always have issues.

    • AlwaysSkintAlwaysSkint Member
      edited November 4

      With all the emphasis on security (rightly so) there appears to be a total lack of comparison as to how they all perform, in respect to RAM, CPU & disc overhead, in particular.
      I'd think that'd be appropriate for the lowend sector.

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • deankdeank Member

      Well, they are a security audit firm after all.

      They don't need to look at anything else.

      Select few always have issues.

    • AlwaysSkintAlwaysSkint Member
      edited November 4

      @deank said:
      Well, they are a security audit firm after all.

      They don't need to look at anything else.

      I did mean in general terms. Apologies for the brevity.

      Support open-source, go on, you know you want to.

      Long live LowEndInfo.com / LES

    • deankdeank Member
      edited November 4

      Well, the point still stands. They specialize in security audit and that is their sole reason of existence.
      Sticking to what they are good at is a good way to stay up.

      Of course, some are too good at screwing up in which case they will go belly up sooner or later.

      Select few always have issues.

    Sign In or Register to comment.