joepie91's Ramblings

home RSS

The security trainwreck that is ZPanel

17 Dec 2013

Note: This is a repost of a thread that I originally wrote on LowEndTalk. I can no longer support the operational and advertising policies of LowEndTalk, and have therefore decided to move the post here.

Yup, another ZPanel thread. Why? To give a nice summary of the atrocious security history of ZPanel. The dates may be approximations, I do not keep specific track of these events. Additionally, quite a few things will be missing - I've only listed the events that I've run across.

At this point, had I not reported any of these vulnerabilities, I would have been able to combine the administrator password reset vulnerability with the remote root vulnerability and a Google dork. I could have gained instant root on every single ZPanel server in the world, without issues, fully automated, in a matter of minutes.Just to put into perspective what their "professional security firm" missed.

I really don't care that ZPanel is a free or even open-source project; that is not a valid excuse. The reality is that the ZPanel development team, in particular Bobby Allen, is acting highly irresponsible. He is putting hundreds, if not thousands of servers at risk, simply because he does not wish to admit that there are security problems and that they need fixing.

I have heard every excuse under the sun from the development team. "We do this in our free time!", "It's an open-source project...", "Well, it's free!", "That's not really a vulnerability, people won't think to look there...", and so on. I really don't care. ZPanel developers, fix your shit. You have released ZPanel to the world and are promoting it as a professional panel, so give up your "hobby project" attitude. You can't have both. Either include a big fat disclaimer that ZPanel is known to be insecure, and it's a hobby project... or make it secure.

In the meantime, I would advise everyone to stay far far away from anything running ZPanel. The developers do not care about your security.