Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Latest Security Analysis of Alternative Web Hosting Control Panels by Rack911 - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Latest Security Analysis of Alternative Web Hosting Control Panels by Rack911

24

Comments

  • I'm still wondering why rack911 was not able to find the culprit in vestacp immediately from the issue last April 2018 IIRC. Instead it was one of the community user.

    No explanation needed really. I was just wondering, as I think rack911 was given access to the repo for further investigation.

    Free / pro bono or paid Im thankful for any of your insights. Again I was just wondering what happened on that vestacp issue. Then vestacp IIRC just hired another sec audit company ("Arcturus") instead.

  • AlwaysSkintAlwaysSkint Member
    edited November 2019

    Awaiting the similar audit from @jsg :p

  • NeoonNeoon Community Contributor, Veteran

    CyberPanel got busted, pretty much.
    Its a deadly combination, to forward input directly into the shell without validation.

  • .> @cazrz said:

    I'm still wondering why rack911 was not able to find the culprit in vestacp immediately from the issue last April 2018 IIRC. Instead it was one of the community user.

    No explanation needed really. I was just wondering, as I think rack911 was given access to the repo for further investigation.

    Free / pro bono or paid Im thankful for any of your insights. Again I was just wondering what happened on that vestacp issue. Then vestacp IIRC just hired another sec audit company ("Arcturus") instead.

    Alot of misinformation on the internet on this one. Vestacp never worked with us on that level. We had tried to push paid audits on them but they always declined.

  • @rack911 said:
    .> @cazrz said:

    I'm still wondering why rack911 was not able to find the culprit in vestacp immediately from the issue last April 2018 IIRC. Instead it was one of the community user.

    No explanation needed really. I was just wondering, as I think rack911 was given access to the repo for further investigation.

    Free / pro bono or paid Im thankful for any of your insights. Again I was just wondering what happened on that vestacp issue. Then vestacp IIRC just hired another sec audit company ("Arcturus") instead.

    Alot of misinformation on the internet on this one. Vestacp never worked with us on that level. We had tried to push paid audits on them but they always declined.

    I would say that this is the guy you'd want to be working with:
    https://github.com/myvesta/vesta/blob/master/README.md#myvesta-control-panel

  • myvesta seems to be good. But, they are debian only(no centos)!

  • @niceboy said:
    myvesta seems to be good. But, they are debian only(no centos)!

    And, from my understanding, currently not very good for reseller hosting setups.
    Still, it's the only free open source solution that seems to be working and for which the developer is doing all they can to keep it as good as possible (and using it on their servers).

    Would be interested in reading a security audit (and would be delighted to see more community support, it's practically a one man show for now).

  • IMHO this post is just a stunt or marketing. Traffic or for whatever purpose.

    That's just my honest opinion.

  • Regardless of the motivations, the efforts have highlighted the security aspects of the various control panels and brought it to the front of people's minds.

  • NeoonNeoon Community Contributor, Veteran

    @cazrz said:
    IMHO this post is just a stunt or marketing. Traffic or for whatever purpose.

    That's just my honest opinion.

    Of course its a company, they do exist to make money.
    Even if they say, its all free and no one paid them, its likely that they get a few costumers more.

    Which may pay for the work they put into it.
    But at the end, the benefits are on booth sides.

    Not just one side, which is a fair trade as long its balanced.

    Thanked by 1niceboy
  • deankdeank Member, Troll

    Why a company trying to make money is seen as evil is beyond me.
    What do you expect a company to do?

    Thanked by 2dedipromo Clouvider
  • NeoonNeoon Community Contributor, Veteran
    edited November 2019

    @deank said:
    Why a company trying to make money is seen as evil is beyond me.
    What do you expect a company to do?

    The word "company" triggers things like "Nestle".
    Its all about https://en.wikipedia.org/wiki/Framing_effect_(psychology)

  • jvnadrjvnadr Member
    edited November 2019

    Rack911 is a company. Of course, they do have some targets on auditing for free those panels. Is this because they want to push people to use paid web panels instead of free ones? Is it because they want to continue their status as one of the most known auditing companies out there? Is it because they want to help not to be spread malwares, viruses and hacked servers on the net? Or having more data on the exploits and issues on panels for gaining more info when working on a paid task?
    Maybe all of the above. But, at the end of the day, it is good having an audit company to do some checks to those panels and inform their developers.
    It would be good, of course, if those developers do respond publicly (not in LET but in their website or forum) about the issues, the audit and their actions after.
    And it would be also good if Rack911 wouldn't just write a number but also give some more info, not about the actual type of vulnerabilities but if, for example, one of the three of Vesta is a catastrophic one and non of the 15 of virtualmin is so dangerous.

    That said, if you put aside Vesta developer's attitude (that is well know), it is pretty impressive that it is the free panel with the lesser vulnerabilities, together with ispconfig.
    Impressive as the fact that virtualmin, has tons of vulnerabilities (of course, it is something that can be explained by the range of the features it has and the variety of OS can be installed to).
    As of cyberpanel? This is a surprise by the fact that since long ago, they have backed up by litespeed itself to provide a panel that promotes the paid web server... It would be interesting to see what @cyberpersons has to state for this...

    Thanked by 2bikegremlin mrTom
  • jsgjsg Member, Resident Benchmarker

    @AlwaysSkint said:
    Awaiting the similar audit from @jsg :p

    Won't happen. I'm way too desinterested in panels. Also all that PHP, Python, and Perl code is much too far away from my daily life. There are other who'll do a better job on that than me.
    But still, as analyzing and verifying is an important part of my daily work I recognize when it's done well or not so well.

  • ^ I get pissed off with my neighbours too.

  • deankdeank Member, Troll

    Devs don't need to response to the article.

    Just patch the holes. Words are cheap after all.

  • AlwaysSkintAlwaysSkint Member
    edited November 2019

    With all the emphasis on security (rightly so) there appears to be a total lack of comparison as to how they all perform, in respect to RAM, CPU & disc overhead, in particular.
    I'd think that'd be appropriate for the lowend sector.

  • deankdeank Member, Troll

    Well, they are a security audit firm after all.

    They don't need to look at anything else.

  • AlwaysSkintAlwaysSkint Member
    edited November 2019

    @deank said:
    Well, they are a security audit firm after all.

    They don't need to look at anything else.

    I did mean in general terms. Apologies for the brevity.

  • deankdeank Member, Troll
    edited November 2019

    Well, the point still stands. They specialize in security audit and that is their sole reason of existence.
    Sticking to what they are good at is a good way to stay up.

    Of course, some are too good at screwing up in which case they will go belly up sooner or later.

  • bikegremlinbikegremlin Member
    edited November 2019

    In a discussion on this topic at a local (Serbian) VestaCP group, I pasted a link to this thread. The author of MyVestaCP (Predrag Damjanović) is unable to register on LET (not getting a confirmation emails, support desk not working either apparently), so they asked me to forward this. So here it is:
    (Just as a messenger here, nothing personally for, nor against both VestaCP and MyVestaCP, just that I'd be delighted to see a good quality FOSS alternative to both cPanel and DirectAdmin):

    TL/DR - VestaCP author made the fix months ago.

    EDIT: clarification
    VestaCP author (Sergey) notified Patrick of the fix, but Patrick wanted Sergey to test and confirm the fix (i.e. Patrick didn't want to test the fix himself, expecting Sergey to do it and report back).

    Tarzan English to Serbian to Tarzan English - things get lost. :)

    The original quote:

    "In fact, all three vulnerabilities are fixed on VestaCP - before 4 months - just nobody wanted to check it -
    https://github.com/serghey-rodin/vesta/commit/743476ad73e4cd3b6efc4be61ed190d5f8dfc28d

    Link for fixes is sent to Patrick - but Patrick expected from VestaCP devs to check fixes - but nobody did it at the end."

    Thanked by 3jsg niceboy poisson
  • deankdeank Member, Troll

    It is true that I've never gotten any sort of emails from LET except for the account confirmation email.

    Shitloads of bots seem to register fine though, so I assume the email server is working.

  • No love for froxlor?

    Thanked by 1webcraft
  • JustJonJustJon Member
    edited November 2019

    I think some people took my earlier comment the wrong way. I would rather know the details so I am glad of your detailed work, there is also nothing wrong with a little skeptacism so please don't take it the wrong way.

    For a massive positive I really like how the vendor's communication was also taken into account as this is a big deal I feel.

  • raindog308raindog308 Administrator, Veteran
    edited November 2019

    zpanel is not listed. Must be because it's 100% bullet proof.

    (Sorry for triggering you, @joepie91 )

    Thanked by 2vimalware Falzo
  • jsgjsg Member, Resident Benchmarker

    @raindog308 said:
    zpanel is not listed. Must be because it's 100% bullet proof.

    (Sorry for triggering you, @joepie91 )

    You seem to not be up to date. How can it be bullet proof without calling the magic "MakeBulletProof()" function?

    Thanked by 1raindog308
  • raindog308 said: Must be because it's 100% bullet proof.

  • Thank you to the efforts and generosity of @SecNinja and everyone at @rack911 !

    I thought you will also audit WiseCP of @Sitemio ? It's not a web hosting panel though, it's a billing panel.

  • It's a shame that https://www.keyhelp.de/en/ isn't that famous as the other free control panels as I really wanted to know how they fared.

  • @jvnadr

    This issue date back to almost 6 months. We released a security fix just a few days after receiving an email from Patrick.

    I gave my detailed reply regarding how we structured root escalation in our original thread, a direct link to the response is https://www.lowendtalk.com/discussion/comment/2998884/#Comment_2998884

    Even the number is high, but they are the same issue, once we addressed the fundamentals, it's all taken care of.

    More can be seen in the release log especially the release that is dated to 16th July, 2019 -> https://cyberpanel.net/docs/change-log-for-cyberpanel/

    Apart from that we are always trying our best and putting security first.

    Thanked by 1PluginMaster
Sign In or Register to comment.