New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Latest Security Analysis of Alternative Web Hosting Control Panels by Rack911
Security Analysis of Alternative Control Panels
I am not surprised by the results. So those looking for free alternative to paid control panels, keep in mind that they can pose some threats also.
Comments
Ooh! APNSCP actually did a pretty good job there! Good job @nem!
Not a bad showing for coming out of the woodwork after 17 years
Congratulations @nem. Fantastic showing. Security is priceless and I hope more people use your solid piece of work.
When something has more holes than VestaCP..., you know your stuff is shitta.
Important to note, that these were not 'full' audits. Just a once through. We'll revisit each one in more depth at a later time but this should offer a good baseline to the quality of each product.
Interesting that VestaCP only shows 3 vulnerabilities yet marked down severely for not communicating properly. As for CWP, 'support' is distinctly lacking which is a real shame for what is IMHO, the best (nearly intuitive) of the (bad) bunch.
Many thanks @rack911
(Is webmin, without usermin/virtualmin, seen as a reasonable option?)
I'll wait for the real analysis, because this one is more like "let's shake the tree and see what falls down".
One thumbs up though for also looking at and mentioning the attitude, type of reaction, and speed of reaction of the developers.
It's the comms./responsiveness that makes the real difference.
I'm interested to see a MyVestaCP fork security audit. At least such "preliminary" one.
Well you agree or not.. No one can beat cPanel.. at least till now.
Maybe that's why they have increase the pricing..
Directadmin is really good but still can't match with cPanel..
Sorry if anyone offended..
It will be good to see also the audit on CP, DA, Plesk and Interworx
All good. I will get over it one day. Don't feel guilty because of me.
The people behind CWP are frustrating.
They emailed us a while back requesting Skype. I said look, we're too busy to talk over Skype so just find us on Slack or email us. No reply. Sent them another email the other day requesting an update and then today, they finally get back to us saying their delay is because they have been waiting to talk to us.
They have been given MONTHS to get their stuff in order and apparently instead of emailing us questions they have just been sitting there waiting...
We sent off at least half a dozen security flaws years ago to VestaCP which is probably why they only have a handful of flaws at the moment. (They were better at communication back then as well. Hell, I've sent them an email every month requesting updates and so far nothing... I don't understand.)
It's important to note that security is often on low priority, until it's actually exploited.
They can, then, make a formal apology and enjoy extra attention they get.
This is a result of a society that rewards failures.
Maybe I think its because they already have hired a security audit company IIRC.
Rack911 are not cheap, if you believe for 1 second they did this work for free you are a potato.
And if you don't know what question that actually poses, you are not even a very good quality potato.
I'm not sure if they were the ones who found the backdoor in the vestacp repo before, IIRC it was Falzo.
I would be interested in the full reports if this is the summary, Do have to wonder who is paying for these security analysis. I do appreciate the information they have provided but I would like a little more transparancy/disclosure from Rack911.
If i had some tin foil to make a hat I may even begin to wonder if the company hiring Rack911 may get more favorable results.
Here’s mine with commentary. Audit report at the end.
https://hq.apnscp.com/ap-01-ap-07-security-vulnerability-update/
What sort of transparency do you want? If you're curious as to who has paid us:
InterWorx (Full Audit - Last Payment 2014)
DirectAdmin (Full Audit - Last Payment 2015)
cPanel (Bug Bounties - Last Payment 2018)
Plesk (Bug Bounties - Last Payment 2018)
However, none of the panels above are ACTIVELY paying us nor has there been any sort of discussion for us to audit competitor products and make their product appear more secure. I don't think any of them even knew we were going to publish this report outside of them maybe reading about it on WHT.
You can't even begin to imagine how much time was spent going over all of the alternative control panels for absolutely no financial benefit to our company. Those audits were done 100% to benefit the hosting community and let people make their own decisions on what panel(s) they wish to use.
The reason we had DirectAdmin, Plesk and InterWorx at the top is simply because they are the main competitors to cPanel and we know first hand how secure they are. Nothing more than that!
Edit:
Full audit reports will be released when the developers fix the flaws. It's mind blowing that it has taken this long... but, we would not be doing anyone right if we released those reports with full exploits at the moment.
No one paid for this analysis. We devote a lot of time to random security auditing and have done so since 2013. We started doing it back in 2013 for the sole benefit of the hosting community when we discovered a privilege escalation vulnerability that affected every server that had Softaculous installed, and since then have uncovered hundreds of vulnerabilities in hosting software without being paid to do so.
To be blunt, we can afford to do work like this pro bono. As mentioned above it was not a full audit, but rather a once over of every function. The big name control panels (directadmin, plesk, interworx, cpanel) are ran over quickly every month, and have been for years.
@rack911 excuse the riff-raff who've not followed this from the start and/or conspirary theorists. ;-)
Some history for all of you, doubters who don't know what we do.
http://files.rack911labs.com/public/RACK911_Labs_-_Year_In_Review-2013.pdf
Some more history from the print copy of the now defunct TheWHIR magazine: https://i.imgur.com/K2wqjRr.jpg
Good to see DA has turned things around considerably - let's hope others can follow suit.
Things overall would have been much differently with some of these companies security wise before we started hammering on them. cPanel never had a formal security team, or bug bounties. That is something we pushed for and got. I was on a paddle boat during a cpanel conference years ago when one of the security team members told me, "we pushed for years to get a security team, it took you 6 months". The same story goes with many other companies.
Well there's more than me who appreciates the invaluable work done for the community. The 'exposure' alone I'm sure will stand you in good stead.
At first I stayed quite away and very polite but frankly, I take that whole thing to be mainly one thing: a marketing stunt for yourself and a few preferred panel producers.
Trust me, I know what an analysis looks like because I do them myself. So let me suggest you switch 2 gears down and don't paternalize LET users who have valid questions ...
P.S. And the message is? That most panel producers either don't know about security or they don't care about it anyway? How shocking. Who would have thought that! (Everyone with a working brain).
As someone on the panel side who has spent a great deal pouring over panel developers' code, some get it and others don't. Some don't deduplicate, some copy and paste. Most of what Patrick pointed out was a mea culpa on my part, but something that could be easily addressed by the panel architecture. Others that don't have appropriate design and they'll sink in technical debt without significant refactoring.
I appreciate what he's done for my business going forward. The lack of a bounds check on email domains has been withstanding for at least a decade. Knowing what to look for gave me an opportunity to take a closer look at these modules for other similar issues. Hindsight is always 20/20. Whether one does it out of charity or notoriety is still better than going through life blind.
That being said, it's a great opportunity to one up Patrick on a second round of audits to show what he missed
Is there any chance whatsoever to do the same for MyVestaCP fork of VestaCP?
It is my understanding that MyVestaCP, unlike "the original" is being regularly patched for flaws, while, unlike Hestia (another VestaCP fork), it is also made to be as compatible with VestaCP updates as possible (requiring a minimum number of changes to the code).
Talking about hosting community benefit - I think free open source is as good as it gets, mostly worth investing time and effort - if it is any good at all.