Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Latest Security Analysis of Alternative Web Hosting Control Panels by Rack911
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Latest Security Analysis of Alternative Web Hosting Control Panels by Rack911

Security Analysis of Alternative Control Panels

I am not surprised by the results. So those looking for free alternative to paid control panels, keep in mind that they can pose some threats also.

«134

Comments

  • Ooh! APNSCP actually did a pretty good job there! Good job @nem! :)

  • nemnem Member, Host Rep

    Not a bad showing for coming out of the woodwork after 17 years :wink:

  • Congratulations @nem. Fantastic showing. Security is priceless and I hope more people use your solid piece of work.

  • deankdeank Member, Troll

    When something has more holes than VestaCP..., you know your stuff is shitta.

  • rack911rack911 Member
    edited November 2019

    Important to note, that these were not 'full' audits. Just a once through. We'll revisit each one in more depth at a later time but this should offer a good baseline to the quality of each product.

  • AlwaysSkintAlwaysSkint Member
    edited November 2019

    @deank said:
    When something has more holes than VestaCP..., you know your stuff is shitta.

    Interesting that VestaCP only shows 3 vulnerabilities yet marked down severely for not communicating properly. As for CWP, 'support' is distinctly lacking which is a real shame for what is IMHO, the best (nearly intuitive) of the (bad) bunch.

    Many thanks @rack911

    (Is webmin, without usermin/virtualmin, seen as a reasonable option?)

  • jsgjsg Member, Resident Benchmarker

    I'll wait for the real analysis, because this one is more like "let's shake the tree and see what falls down".
    One thumbs up though for also looking at and mentioning the attitude, type of reaction, and speed of reaction of the developers.

  • @nem said:
    Not a bad showing for coming out of the woodwork after 17 years :wink:

    It's the comms./responsiveness that makes the real difference. :smile:

    Thanked by 2nem ITLabs
  • I'm interested to see a MyVestaCP fork security audit. At least such "preliminary" one.

  • ViridWebViridWeb Member, Host Rep
    edited November 2019

    Well you agree or not.. No one can beat cPanel.. at least till now.
    Maybe that's why they have increase the pricing..

    Directadmin is really good but still can't match with cPanel..

    Sorry if anyone offended..

  • @rack911 said:
    Important to note, that these were not 'full' audits. Just a once through. We'll revisit each one in more depth at a later time but this should offer a good baseline to the quality of each product.

    It will be good to see also the audit on CP, DA, Plesk and Interworx

    Thanked by 1Amitz
  • @ViridWeb said:
    Sorry if anyone offended..

    All good. I will get over it one day. Don't feel guilty because of me.

  • @AlwaysSkint said:

    @deank said:
    When something has more holes than VestaCP..., you know your stuff is shitta.

    Interesting that VestaCP only shows 3 vulnerabilities yet marked down severely for not communicating properly. As for CWP, 'support' is distinctly lacking which is a real shame for what is IMHO, the best (nearly intuitive) of the (bad) bunch.

    Many thanks @rack911

    (Is webmin, without usermin/virtualmin, seen as a reasonable option?)

    The people behind CWP are frustrating.

    They emailed us a while back requesting Skype. I said look, we're too busy to talk over Skype so just find us on Slack or email us. No reply. Sent them another email the other day requesting an update and then today, they finally get back to us saying their delay is because they have been waiting to talk to us.

    They have been given MONTHS to get their stuff in order and apparently instead of emailing us questions they have just been sitting there waiting...

    Thanked by 1AlwaysSkint
  • @deank said:
    When something has more holes than VestaCP..., you know your stuff is shitta.

    We sent off at least half a dozen security flaws years ago to VestaCP which is probably why they only have a handful of flaws at the moment. (They were better at communication back then as well. Hell, I've sent them an email every month requesting updates and so far nothing... I don't understand.)

    Thanked by 3AlwaysSkint mrTom seenu
  • deankdeank Member, Troll

    It's important to note that security is often on low priority, until it's actually exploited.

    They can, then, make a formal apology and enjoy extra attention they get.
    This is a result of a society that rewards failures.

    Thanked by 2hostdare dedipromo
  • @SecNinja said:

    @deank said:
    When something has more holes than VestaCP..., you know your stuff is shitta.

    We sent off at least half a dozen security flaws years ago to VestaCP which is probably why they only have a handful of flaws at the moment. (They were better at communication back then as well. Hell, I've sent them an email every month requesting updates and so far nothing... I don't understand.)

    Maybe I think its because they already have hired a security audit company IIRC.

  • AnthonySmithAnthonySmith Member, Patron Provider

    Rack911 are not cheap, if you believe for 1 second they did this work for free you are a potato.

    And if you don't know what question that actually poses, you are not even a very good quality potato.

  • I'm not sure if they were the ones who found the backdoor in the vestacp repo before, IIRC it was Falzo.

  • I would be interested in the full reports if this is the summary, Do have to wonder who is paying for these security analysis. I do appreciate the information they have provided but I would like a little more transparancy/disclosure from Rack911.

    If i had some tin foil to make a hat I may even begin to wonder if the company hiring Rack911 may get more favorable results.

  • nemnem Member, Host Rep

    @JustJon said:
    I would be interested in the full reports if this is the summary, Do have to wonder who is paying for these security analysis. I do appreciate the information they have provided but I would like a little more transparancy/disclosure from Rack911.

    Here’s mine with commentary. Audit report at the end.

    https://hq.apnscp.com/ap-01-ap-07-security-vulnerability-update/

    Thanked by 1dedipromo
  • SecNinjaSecNinja Member
    edited November 2019

    @JustJon said:
    I would be interested in the full reports if this is the summary, Do have to wonder who is paying for these security analysis. I do appreciate the information they have provided but I would like a little more transparancy/disclosure from Rack911.

    If i had some tin foil to make a hat I may even begin to wonder if the company hiring Rack911 may get more favorable results.

    What sort of transparency do you want? If you're curious as to who has paid us:

    InterWorx (Full Audit - Last Payment 2014)
    DirectAdmin (Full Audit - Last Payment 2015)
    cPanel (Bug Bounties - Last Payment 2018)
    Plesk (Bug Bounties - Last Payment 2018)

    However, none of the panels above are ACTIVELY paying us nor has there been any sort of discussion for us to audit competitor products and make their product appear more secure. I don't think any of them even knew we were going to publish this report outside of them maybe reading about it on WHT.

    You can't even begin to imagine how much time was spent going over all of the alternative control panels for absolutely no financial benefit to our company. Those audits were done 100% to benefit the hosting community and let people make their own decisions on what panel(s) they wish to use.

    The reason we had DirectAdmin, Plesk and InterWorx at the top is simply because they are the main competitors to cPanel and we know first hand how secure they are. Nothing more than that! :)

    Edit:

    Full audit reports will be released when the developers fix the flaws. It's mind blowing that it has taken this long... but, we would not be doing anyone right if we released those reports with full exploits at the moment.

  • rack911rack911 Member
    edited November 2019

    No one paid for this analysis. We devote a lot of time to random security auditing and have done so since 2013. We started doing it back in 2013 for the sole benefit of the hosting community when we discovered a privilege escalation vulnerability that affected every server that had Softaculous installed, and since then have uncovered hundreds of vulnerabilities in hosting software without being paid to do so.

    To be blunt, we can afford to do work like this pro bono. As mentioned above it was not a full audit, but rather a once over of every function. The big name control panels (directadmin, plesk, interworx, cpanel) are ran over quickly every month, and have been for years.

    Thanked by 1mrTom
  • AlwaysSkintAlwaysSkint Member
    edited November 2019

    @rack911 excuse the riff-raff who've not followed this from the start and/or conspirary theorists. ;-)

    Thanked by 1vimalware
  • rack911rack911 Member
    edited November 2019

    @AlwaysSkint said:
    @rack911 excuse the riff-raff who've not followed this from the start. ;-)

    :)

    Some history for all of you, doubters who don't know what we do.
    http://files.rack911labs.com/public/RACK911_Labs_-_Year_In_Review-2013.pdf

    Some more history from the print copy of the now defunct TheWHIR magazine: https://i.imgur.com/K2wqjRr.jpg

    Thanked by 2AlwaysSkint nem
  • AlwaysSkintAlwaysSkint Member
    edited November 2019

    Good to see DA has turned things around considerably - let's hope others can follow suit.

  • @AlwaysSkint said:
    Good to see DA has turned things around considerably.

    Things overall would have been much differently with some of these companies security wise before we started hammering on them. cPanel never had a formal security team, or bug bounties. That is something we pushed for and got. I was on a paddle boat during a cpanel conference years ago when one of the security team members told me, "we pushed for years to get a security team, it took you 6 months". The same story goes with many other companies.

  • Well there's more than me who appreciates the invaluable work done for the community. The 'exposure' alone I'm sure will stand you in good stead.

  • jsgjsg Member, Resident Benchmarker
    edited November 2019

    @SecNinja said:
    You can't even begin to imagine how much time was spent going over all of the alternative control panels for absolutely no financial benefit to our company. Those audits were done 100% to benefit the hosting community and let people make their own decisions on what panel(s) they wish to use.

    • Well, I actually can (I'm a developer in IT security)
    • Kindly stop insulting our intelligence! OF bloody COURSE there is a benefit in it for you and that's why you show a high presence in this thread.
    • @JustJon is right asking for more information. Those panel thingies can make or break a providers business and it's certainly not illegitimate to ask for a bit more than "someone at Rack911 says so and has painted some graphics too".
    • I have a hard time to see you as impartial. You put the logos of the "good ones" right smack at the top and you offer nothing but assertions, some graphics, and some data points of usually low significance.
    • You'll provide more concrete info once the problems are solved? That's ridiculous. (a) that risks to mean "never", and (b) most of those problems are not new. Most importantly though your decision clearly suggests on whose side you really are - and it's not us, the customers/users of those panels.

    At first I stayed quite away and very polite but frankly, I take that whole thing to be mainly one thing: a marketing stunt for yourself and a few preferred panel producers.

    Trust me, I know what an analysis looks like because I do them myself. So let me suggest you switch 2 gears down and don't paternalize LET users who have valid questions ...

    P.S. And the message is? That most panel producers either don't know about security or they don't care about it anyway? How shocking. Who would have thought that! (Everyone with a working brain).

    Thanked by 1pepa65
  • nemnem Member, Host Rep

    As someone on the panel side who has spent a great deal pouring over panel developers' code, some get it and others don't. Some don't deduplicate, some copy and paste. Most of what Patrick pointed out was a mea culpa on my part, but something that could be easily addressed by the panel architecture. Others that don't have appropriate design and they'll sink in technical debt without significant refactoring.

    I appreciate what he's done for my business going forward. The lack of a bounds check on email domains has been withstanding for at least a decade. Knowing what to look for gave me an opportunity to take a closer look at these modules for other similar issues. Hindsight is always 20/20. Whether one does it out of charity or notoriety is still better than going through life blind.

    That being said, it's a great opportunity to one up Patrick on a second round of audits to show what he missed :smiley:

  • @rack911 said:
    No one paid for this analysis. We devote a lot of time to random security auditing and have done so since 2013. We started doing it back in 2013 for the sole benefit of the hosting community when we discovered a privilege escalation vulnerability that affected every server that had Softaculous installed, and since then have uncovered hundreds of vulnerabilities in hosting software without being paid to do so.

    To be blunt, we can afford to do work like this pro bono. As mentioned above it was not a full audit, but rather a once over of every function. The big name control panels (directadmin, plesk, interworx, cpanel) are ran over quickly every month, and have been for years.

    Is there any chance whatsoever to do the same for MyVestaCP fork of VestaCP?

    It is my understanding that MyVestaCP, unlike "the original" is being regularly patched for flaws, while, unlike Hestia (another VestaCP fork), it is also made to be as compatible with VestaCP updates as possible (requiring a minimum number of changes to the code).

    Talking about hosting community benefit - I think free open source is as good as it gets, mostly worth investing time and effort - if it is any good at all.

Sign In or Register to comment.