New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You are right, it is bad for them to throw security issues away like they were nothing. However, the world isn't black and white, and it is very possible they were in a way trying to hold up consumer confidence instead of causing a bank rush of people removing ZPanel. Posting an issue publicly on there forums is like stating "Hey every fucking hacker, here is how you exploit Zpanel, Go!", moving it to PM where the info would only be sent to people whom could fix the issue would be a far better method that would allow things to be fixed without it becoming into a topic on LET for 2 years?
Just a counter point.
Mun
There is no such thing as security through obscurity. Every exploit must be made public as soon as the team working on the product made the patch available, 1 week passed without doing it or rejected the exploit as not important/wont be fixed/is a feature, whatever comes first. Not exposing it means people are not aware they are hacked, which is worse than pulling zPanel or any other insecure piece of software.
Your analogy with running to the bank is completely unrelated because:
There is no reason to support zPanel with it's track record, even if they do start taking security seriously today, it will be a long time before the product is actually secured (more or less, there is no absolute security as there is no absolutely safe bank but there is a difference between mafia banks and serious ones).
So in theory, I find a WHMCS exploit what should I do?
Go post the exploit on WHMCS forum available for everyone to see before they can make a patch even possible, though I have crafted a fix for it of my own.
Post the exploit to WHMCS in a PM with a patch so that they can review it. If they don't fix it within a week post more publicly.
My point is that posting it out in front of the world made it a bigger issue then it should have been. You are right a bank run isn't a good analogy, but my point on the business side is mass amounts of people stop using your product, so in there opinion a bank run.
Mun
You should take point 2, obviously. If they know the exploit, it is a few minutes work to patch it, say 1-2 hours to post a new version, one week is long enough for people to upgrade. If one or more of those things didnt happen within one week, then you HAVE to post the exploit to force some action, if everyone knows about it, they will have to patch it, if only a select group of criminals know about it, they will continue to profit unhindered at the expense of many hosts out there as well as their customers while WHMCS can claim their product is safe.
Correct, and my point with how @joepie91 posted it made the issue public info, when it didn't need to be. Thus in a way enabling hackers to exploit Zpanel even more.
Just my counter points though. Can't hate everything forever.
You are not a host and dont have to deal with blocklists, with phishing, DDoS attacks and their retaliation, judges asking for logs and whatnot. zPanel IS the number one cause of hacked VPSes here. If that will change, of course, I will hate it less.
I am stating it isn't secure in any way, I am stating the way JoePie handled himself wasn't the best of ways.
edit: added not, opps typing to fast
There is no harsh enough way to deal with these fox, apart from harming their personas. If they are unwilling or unable to secure their product, should do something else, really.
I guess I should look through the code, see if I can find anything
btw, that isn't because I don't think that the way they are treated is right or just, but because I might be able to help.
Great, it looks like they do need all the help they can get, I fear your findings will be rejected, though, given the things I read and heard.
No major updates. Only fixes.
I initially notified a team member of theirs on IRC. It was met with the exact same response.
And "consumer confidence"? Really? If you are pretending that all is fine for the sake of "consumer confidence", there's a word for that: dishonesty.
Read the thread properly. It absolutely did need to be. They'd had their chance to fix it the right way already. Or do you expect me to stay infinitely polite, while they are actively putting their users at risk by telling them lies and refusing to acknowledge or fix security issues?
This term seems widely misunderstood and violated by teenage security specialists albeit means nothing. Security is usually consisted by several layers. To system who have already decent security setup obscurity add another layer of many. It's not replacement for security, but layer to to weed out the crap.
I understand your points when you're saying that things should become public as soon vulnerability is discovered to be able to protect yourself from it (But does this work? Your zpanel experience speaks right opposite). However I also know where @Mun is coming from saying that making it public means a open invitation to party.
Theories and opinions exist, but what does practice say? Does mass invitation to party made it less troublesome to you?
Not taking them joepie's appeal into consideration is completely different story.
I agree obscurity is another layer of security, however, in Open Source software ? It is not even hidden there, all exploits are in full sight. It is only hidden from the people which are not programmers to scrutinize the code and understand the risks (not that if it was "ioncubed" would have mattered in any way). A programmer does not need to look in all the nooks and crannies, will make an opinion from the first 200 lines at most. A programmer WILL find the exploits, if he wants to, there is a very big harvest of exploitable panels out there if he finds one.
So, this "obscurity" is only keeping in the dark the people which are users, not exploiters, a perfect situation for the criminals out there.
I believe my experience may be instructive. Two years ago I knew nothing of hosting, but decided to take the plunge by buying a couple of WP sites at Digital Point and opening an account with Hostgator. As I bought more sites and started to build my own, I noticed that my Hostgator account was maxed out and I had to move up an account level. Soon, it struck me I'd do better off trying to understand the mysterious world of VPSs and self hosting.
To get started I purchased a 256mb Xen VPS of someone on DP with 5 WP sites running zPanel 6 as a way to learn about VPS hosting. I also tried to master cPanel on a VPS. I could never understand how to get DNS to work so I gave up. I then tried to install zpanel 10 on another VPS. I had lots of problems following the instructions in the zpanel forum. I posted some questions. I didn't find the answers helpful. I tried kloxo, but gave up quickly when I found out about the holes in it because it wasn't being updated. Lastly, in my search of free panels, I found Virtualmin.
I found the help at the Virtualmin forum, plus the extensive documentation enabled me to get started and maintain my sites and Virtualmin installation. After mastering basic knowledge, I started to be able to tweak my installations for ease of maintenance. Now all I use is Virtualmin, I prefer it to cPanel.
All this to say while zPanel may have the other shortcomings outlined by other posters - I know little of security holes - I believe it is also difficult to use, and difficult to get help to fix the inevitable problems. It maybe fine for someone with extensive Linux experience, But it certainly isn't easy to use and noob friendly. It also does not appear to have many of the features available in a panel like Virtualmin.
I've been running zpanel 10 on a test server for a year or so. It's currently running 25 websites (I develop the sites there then deploy them on shared/reseller hosting). The only problem I've noticed is some weirdness with the backups (it runs them too often).
Based on my good experiences with it, I recently put it on a dedi which is currently running 4 production sites. I've got automated offsite backups as well of course, but so far so good.
Virtualmin's decent too, and Vesta looks promising if they ever get around to finishing the documentation. I liked kloxo, but always found it buggy. Haven't had much joy with the other free offerings. I recently discovered centminmod - command line only, but awesome.
@squibs
You do realize you are putting a software on your server that has known security issues and is easily hackable right?
@Mun Can you cite a single known generally exploitable security issue on the current release?
http://forums.zpanelcp.com/Thread-zPanel-website-has-vulnerability-bug here is one for 10.1.0
10.1.1 has been out for a few days, don't think anything would be out yet.
@Mun Call me a hair-splitter, but that's not evidence of a GA exploit - that's someone quoting details from one install of zpanel. The mods have acknowledged a weakness, but we don't know what access the OP had to the server, or how specific the exploit was. The details of the exploit aren't published, so I say - no evidence of a generally exploitable security issue there.
cPANEL, WHM, windows, osx, android - all complex software is exploitable, yet all those platforms thrive and are generally unexploited, meaning that they are in widespread use and most installs are never hacked.
Yes, everything is hackable, however it depends on how people react on exploits found. Flat denial is not the way.
Just a few minutes ago i found a process maxing out the cpu, running as apache ksoftirqx or something. Guess what, the vps was running zPanel...
Yet hacks of zpanel are common and very wide spread.