Note: This is a repost of a thread that I originally wrote on LowEndTalk. I can no longer support the operational and advertising policies of LowEndTalk, and have therefore decided to move the post here.
Yup, another ZPanel thread. Why? To give a nice summary of the atrocious security history of ZPanel. The dates may be approximations, I do not keep specific track of these events. Additionally, quite a few things will be missing - I've only listed the events that I've run across.
- August 12 2012, numerous vulnerabilities are fixed, one of which can be found here, after a supposed 'security audit' by 'WebSec'.
- August 12 2012, I have an argument with motters, one of the ZPanel developers, in the LowEndBox IRC channel. motters challenged me to find a vulnerability in ZPanel, after I claimed that their messy code style would produce vulnerabilities that they'd overlook.
- August 12-13 2012, a few minutes later, I report a vulnerability that allows anyone to reset the administrator password on a ZPanel installation to an arbitrary value, without any authentication whatsoever. The vulnerability is fixed, with what seems like an attempt at insulting me. Note that their "professional security firm WebSec" completely overlooked this blatant and fatal vulnerability, while it took me literally 5 minutes to find.
- August 15-16 2012, I inform the ZPanel developers of multiple remote code execution vulnerabilities in their 'templater', and submit a patch for a part of them. I warn the developers that the templater will still allow code execution that could potentially be disastrous when combined with
zsudodue to the poor design of the templater (using eval(), and letting resellers set custom templates). The lead developer laughs off this warning, tells me that "that's how a templater is supposed to work in PHP", and says that a real templater may be written later, but that it is not a priority and not planned. Again, WebSec has overlooked the issue.
At this point, had I not reported any of these vulnerabilities, I would have been able to combine the administrator password reset vulnerability with the remote root vulnerability and a Google dork. I could have gained instant root on every single ZPanel server in the world, without issues, fully automated, in a matter of minutes.Just to put into perspective what their "professional security firm" missed.
- November 10 2012, Bobby Allen, the lead developer, posts on the ZPanel forums, claiming that the 'insufficient entropy' vulnerability is "bollocks", and that "CSFR [sic] protection is not necessary, because the backend code authenticates the session". Seeing as insufficient entropy can significantly increase the chance of key guessing, and the whole point of a CSRF attack is to use an already authenticated session, it is clear that Bobby has no idea what he's talking about on both counts, but refuses to admit as much. Furthermore, his attempts at justifying the vulnerabilities inspire a false confidence in users that the software is safe to use.
- April 17 2013, I make a full-disclosure post on the ZPanel root escalation and command execution vulnerability, after having waited for it to be fixed for 8 months. There is no response from the ZPanel developers, at all, whatsoever.
- May 10 2013 (today!), almost a month later, there is still no response from the ZPanel team. They have not responded to the full-disclosure post, there is no post on their forums, no announcement on their website, and most importantly, no patch. The codebase is still vulnerable, and it doesn't seem like there will be any effort to fix it, any time soon.
I really don't care that ZPanel is a free or even open-source project; that is not a valid excuse. The reality is that the ZPanel development team, in particular Bobby Allen, is acting highly irresponsible. He is putting hundreds, if not thousands of servers at risk, simply because he does not wish to admit that there are security problems and that they need fixing.
I have heard every excuse under the sun from the development team. "We do this in our free time!", "It's an open-source project...", "Well, it's free!", "That's not really a vulnerability, people won't think to look there...", and so on. I really don't care. ZPanel developers, fix your shit. You have released ZPanel to the world and are promoting it as a professional panel, so give up your "hobby project" attitude. You can't have both. Either include a big fat disclaimer that ZPanel is known to be insecure, and it's a hobby project... or make it secure.
In the meantime, I would advise everyone to stay far far away from anything running ZPanel. The developers do not care about your security.