All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ZPanel arbitrary code execution + root escalation vulnerability
There's an arbitrary (PHP) code execution in ZPanel, a free and open-source shared hosting control panel. Using the included zsudo binary, access can be escalated and commands can be run as root.
The vulnerability: ZPanel uses a poor "templater" system that basically consists of a few str_replace calls and an eval... and as could be expected from something like this, it does a very poor job at preventing malicious code. The relevant code can be seen here: https://github.com/bobsta63/zpanelx/blob/master/dryden/ui/templateparser.class.php (note the poor attempt at stripping out <?php and ?> tags).
By effectively injecting the replacement that occurs in line 71, one can run arbitrary PHP code. When combined with ZPanels
zsudo
binary, one can execute arbitrary commands as root, with a maximum of 5 additional arguments (aside from the path to the to-be-executed-command).The scope: Custom templates/themes can be uploaded by resellers and administrators. This effectively means that anyone that can get access to a reseller account through any means, including by purchasing a reseller service from a ZPanel-using host, can gain root access, without detection.
PoC: Insert the following code anywhere in master.ztml or any other template that is parsed by the template parser, replacing
touch derp
with any command of choice:
<& bogus']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp"); echo $value['bogus &>
I've posted the full post to the full-disclosure mailinglist: http://seclists.org/fulldisclosure/2013/Apr/28
Seriously, guys. Stop using ZPanel. It's terribly insecure. How many times do I have to say this?
Bonus: there's a CSRF vulnerability in the logout mechanism.
Comments
Seems like weekly :P
Not sure why anyone would still bother using zPanel. Unless you hated your clients or something.
Summer is just around the corner . . .
Somebody uses zPanel?
I do. It lets me run arbitrary code without the need to log in as root. It's very convenient sometimes
@Freek You've got to see this, bro.
I use Webmin. What exactly is zPanel supposed to do anyways, other than get your system "hacked"?
Not the first control panel is unsecure, much better to use commercial one like cpanel.
cPanel is most definitely not without vulnerabilities. ZPanel isn't insecure because it's free, it's insecure because the developers are careless (and, in my opinion, irresponsible) about security. If anything, this attitude is even more present in commercial software than in open-source software (eg. SolusVM, WHMCS, etc.)
Your most secure option is probably an open-source commonly-used peer-reviewed panel such as Webmin. Why open-source? Because that lets you check the code for yourself, and patch it if necessary.
It's an open-source shared hosting panel, aiming to offer a featureset similar to cPanel.
I sense another of @joepie91's rants coming on here. And it's only 7:15 AM my time!
This is why I always vote for ISPconfig3.
+1.
Unless you are part of the 99.9.% of the population that is not a competent programmer.
And those who will use opensource because it is FREE.
All I want is one attractive and user friendly shared hosting panel. Not for me, but to push on clients who want an answer and don't want to pay for cPanel. That I cannot give them an answer to such a simple question, and that I do not care enough to have one developed for them, upsets me for some reason. Usually only for a few minutes though because minstall doesn't need a panel and it takes 5 minutes.
Isn't zpanel open source?
We can submit a patch.
LoL, true. Yay for ZPanel. If they even fail at properly configuring the default .conf files they supply with their apache2 installation, what else can go wrong?
The problem is basically that all of their PHP code is absolutely terrible, and it needs a full rewrite to be "patched". Even fixing just this vulnerability would require implementing a full proper templater. I was in the process of rewriting ZPanel, but due to time constraints I haven't really gotten around to it.
EDIT: And there are numerous other issues and vulnerabilities with ZPanel.
It's just so darn pretty. Honestly, as far as user interface goes, I like it far better than cPanel. That's why it makes me so sad. Typical, I suppose, in that good coders and good designers usually are not one and the same.
@joepie91 -- their working on a new template system and anyone one is free to file a bug report in their tracker.
There's a lot of ground between doing it "right" and leaving this issue open. I'm pretty sure a lot of these issues are easily fixable. I'm not saying it would be nice code, but it would be a start.
Did you submit a pull request with a fix? I mean, it's very noble that you've started an attempt to rewrite it all. It doesn't help ZPanel right now, though.
Isn't most of cPanel open source / not encrypted anyways?
Yes. cPanel is open-source, it's just not free.
I hear what @joepie91 is saying about open source peer review...though I wonder if there aren't more eyes and more people looking at cPanel code than webmin, just because the former is so much more widely used and has a bigger dev staff.
Talk about damning with faint praise...cPanel looks like Windows 3.1.
How come we don't see nulled WHM/cPanel?
Edit: It seems we do.
Way too risky to even consider. Not to mention, you can't even upgrade it unlike other nulled scripts.
That's why i don't like using panel.
It is? I tried to edit one of the functions at one point and it was encoded.
It would not surprise me if you could enter "rm -rf /" in the login field on zPanel and wipe the server.
Lol this thread and posts are hilarious, glad I'm not the one behind ZPanel :P
BuT to be fair I've tried it in 2011 for a few minutes, it felt like bulky, "disassembled", for some reason since downloading it. It has a good interface and features though, both admin and site visitors shall enjoy the interface :P
@vRozenSch00n @Freek You've got to see this, bro. @joepie91 anyone ... ZPanel-using host
@joepie91 if you are ever available for some NDT/penetration testing would love to use the skills PM please