Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


The security trainwreck that is ZPanel
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

The security trainwreck that is ZPanel

joepie91joepie91 Member, Patron Provider
edited May 2013 in General

Yup, another ZPanel thread. Why? To give a nice summary of the atrocious security history of ZPanel. The dates may be approximations, I do not keep specific track of these events. Additionally, quite a few things will be missing - I've only listed the events that I've run across.

  • August 12 2012, numerous vulnerabilities are fixed, one of which can be found here, after a supposed 'security audit' by 'WebSec'.

  • August 12 2012, I have an argument with motters, one of the ZPanel developers, in the LowEndBox IRC channel. motters challenged me to find a vulnerability in ZPanel, after I claimed that their messy code style would produce vulnerabilities that they'd overlook.

  • August 12-13 2012, a few minutes later, I report a vulnerability that allows anyone to reset the administrator password on a ZPanel installation to an arbitrary value, without any authentication whatsoever. The vulnerability is fixed, with what seems like an attempt at insulting me. Note that their "professional security firm WebSec" completely overlooked this blatant and fatal vulnerability, while it took me literally 5 minutes to find.

  • August 15-16 2012, I inform the ZPanel developers of multiple remote code execution vulnerabilities in their 'templater', and submit a patch for a part of them. I warn the developers that the templater will still allow code execution that could potentially be disastrous when combined with zsudo due to the poor design of the templater (using eval(), and letting resellers set custom templates). The lead developer laughs off this warning, tells me that "that's how a templater is supposed to work in PHP", and says that a real templater may be written later, but that it is not a priority and not planned. Again, WebSec has overlooked the issue.

At this point, had I not reported any of these vulnerabilities, I would have been able to combine the administrator password reset vulnerability with the remote root vulnerability and a Google dork. I could have gained instant root on every single ZPanel server in the world, without issues, fully automated, in a matter of minutes. Just to put into perspective what their "professional security firm" missed.

  • November 10 2012, Bobby Allen, the lead developer, posts on the ZPanel forums, claiming that the 'insufficient entropy' vulnerability is "bollocks", and that "CSFR [sic] protection is not necessary, because the backend code authenticates the session". Seeing as insufficient entropy can significantly increase the chance of key guessing, and the whole point of a CSRF attack is to use an already authenticated session, it is clear that Bobby has no idea what he's talking about on both counts, but refuses to admit as much. Furthermore, his attempts at justifying the vulnerabilities inspire a false confidence in users that the software is safe to use.

  • April 17 2013, I make a full-disclosure post on the ZPanel root escalation and command execution vulnerability, after having waited for it to be fixed for 8 months. There is no response from the ZPanel developers, at all, whatsoever.

  • May 10 2013 (today!), almost a month later, there is still no response from the ZPanel team. They have not responded to the full-disclosure post, there is no post on their forums, no announcement on their website, and most importantly, no patch. The codebase is still vulnerable, and it doesn't seem like there will be any effort to fix it, any time soon.


I really don't care that ZPanel is a free or even open-source project; that is not a valid excuse. The reality is that the ZPanel development team, in particular Bobby Allen, is acting highly irresponsible. He is putting hundreds, if not thousands of servers at risk, simply because he does not wish to admit that there are security problems and that they need fixing.

I have heard every excuse under the sun from the development team. "We do this in our free time!", "It's an open-source project...", "Well, it's free!", "That's not really a vulnerability, people won't think to look there...", and so on. I really don't care. ZPanel developers, fix your shit. You have released ZPanel to the world and are promoting it as a professional panel, so give up your "hobby project" attitude. You can't have both. Either include a big fat disclaimer that ZPanel is known to be insecure, and it's a hobby project... or make it secure.

In the meantime, I would advise everyone to stay far far away from anything running ZPanel. The developers do not care about your security.

«1

Comments

  • jarjar Patron Provider, Top Host, Veteran

    Got KloxoMR working and its my recommendation to clients for this week.

    Thanked by 1linuxthefish
  • seriesnseriesn Member

    @jarland said: KloxoMR

    ISPconfig, if not, webmin or foxlor FTW

  • joepie91joepie91 Member, Patron Provider

    Just noticed that the ZPanel website frontpage now actually claims 'secure'...

  • shovenoseshovenose Member, Host Rep

    "a secure, web hosting system"
    hahahahahahahahahahahahahhahahahahahahahahahahahahahahahahahahaha

  • LeeLee Veteran

    @joepie91 said: Yup, another ZPanel thread. Why?

    +1

    Useful info.

  • This is the main reason why I like to administer everything on my servers via SSH and not use a panel.

  • Use Kloxo-MR...

  • DestroyeRCoDestroyeRCo Member
    edited May 2013
  • @DestroyeRCo: Leave SSH on port 22 while using passwords and not keys? I too like to live dangerously.

    Thanked by 3Infinity mikho GM2015
  • FreekFreek Member

    I love ZPanel. It comes pre-installed with an open proxy on port 80. 'It's not a bug, it's a feature'.
    ZPanel devs should be ashamed. Their 'support' forum has dozens and dozens of questions that are unanswered. Also you cannot deinstall ZPanel, you have to reinstall your whole server.

  • @HalfEatenPie said: I too like to live dangerously

    Vivere pericoloso :P

  • @HalfEatenPie said: Leave SSH on port 22 while using passwords and not keys? I too like to live dangerously.

    Passwords are just fine.

  • joepie91joepie91 Member, Patron Provider

    @ShardHost said: Passwords are just fine.

    You were joking, right?

  • IntcsIntcs Member
    edited May 2013

    @shovenose said: "a secure, web hosting system"

    hahahahahahahahahahahahahhahahahahahahahahahahahahahahahahahahaha

    That announcement looks vague, as to whether being a "system", or "panel", or "security system" :)

  • RaymiiRaymii Member

    @ShardHost said: Passwords are just fine.

    passwords? my root account doens't have one, I find it convenient to just ssh root@server and don't have to do anything else...

    @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Thanked by 1GM2015
  • @Raymii said: @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Good idea :P

  • @Raymii said: passwords? my root account doens't have one, I find it convenient to just ssh root@server and don't have to do anything else...

    I use sudo on all my ubuntu servers. If my SSH key ever gets compromised, they still can't become root without my (strong) password.

  • NexusNexus Member

    Looks like you had enough of them. It also looks like you were trying to help them with code or whatnot, I guess they don't care. Now it's time to find a vulnerability and never tell anyone about it (if u havn't already), and do the deed....

    @Raymii said: @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Yeah, 100% agree. Looks like they don't care about anyone trying to help them.

  • joepie91joepie91 Member, Patron Provider

    @Raymii said: @joepie91 If you want to "wake up" the developers maybe you should just compromise all the vulnerable servers, and put this post on the front page of all those websites.

    Sounds like a good way to get arrested.

    Thanked by 2Roph GM2015
  • vanarpvanarp Member

    @joepie91 is doing the right thing. I appreciate he warning the LET folks about the vulnerabilities.

  • vanarpvanarp Member

    how about someone active on ycombinator posting it there?

  • RaymiiRaymii Member

    @joepie91 said: Sounds like a good way to get arrested.

    You and I both know that you know how to hide your online activities.

    Thanked by 1GM2015
  • joepie91joepie91 Member, Patron Provider

    @Raymii said: You and I both know that you know how to hide your online activities.

    Even the best technical anonymity won't save your ass if you have just publicly posted information about vulnerabilities, and people have egged you on (under a known identity) to go ahead and do something with it :)

    Thanked by 1GM2015
  • RaymiiRaymii Member

    @joepie91 said: Even the best technical anonymity won't save your ass if you have just publicly posted information about vulnerabilities, and people have egged you on (under a known identity) to go ahead and do something with it :)

    You have a valid point there... But still, you should slap them...

  • NoermanNoerman Member

    @Raymii said: You have a valid point there... But still, you should slap them...

    I believe he already did it, kudos for @joepie91

  • I think we've learned an important lesson here. Don't mess with @joepie91

  • houliafrhouliafr Member
    edited June 2013

    I've tried to post this to the zpanel forum, but they censored this: I think you missed yet another vulnerability regarding zsudo. I'm not a user of zpanel myself, but as far as I understand their website the idea is to use it to configure accounts for end-users. These end users do not have to have access to zpanel to exploit the zsudo binary. Since zsudo is installed suid world executable and does not do any authentication, anyone with the ability to execute anything on the server has root effectively. There are various ways to execute a binary, e.g. system() from PHP, the .forward file or procmail from Postfix, …

  • axtuxaxtux Member

    Thanks for this post. I just started to admin my server some months ago because shared hosting became not enough for me. I'm learning how to maintain a server and I had set up zpanel because I needed fast availability but I think I will install the server again.

    What would you advise as open source panel ? I saw ISPConfig, is it secure enough ? What about webmin ? Also, do you have some advice/text on server security ?

  • joepie91joepie91 Member, Patron Provider

    @axtux said:
    Thanks for this post. I just started to admin my server some months ago because shared hosting became not enough for me. I'm learning how to maintain a server and I had set up zpanel because I needed fast availability but I think I will install the server again.

    What would you advise as open source panel ? I saw ISPConfig, is it secure enough ? What about webmin ? Also, do you have some advice/text on server security ?

    As far as I am aware, both ISPConfig and Webmin have experienced security issues in the past, but both have responded to them appropriately.

    As for server security advice, if you don't absolutely need a control panel (read: you're not running shared hosting), just use SSH with keypair authentication to manage your things and don't install a panel. A good easily configurable alternative to Apache is lighttpd - you could also go with nginx, but the configuration is slightly trickier if you want to use PHP and such.

    Here's a starter guide on setting up lighttpd + PHP + MySQL on Debian (also applies to newer versions of Debian than Etch, except the MySQL listening settings will be correct out of the box): http://www.howtoforge.com/lighttpd_mysql_php_debian_etch

    Thanked by 1GM2015
Sign In or Register to comment.