New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I'm still wondering why rack911 was not able to find the culprit in vestacp immediately from the issue last April 2018 IIRC. Instead it was one of the community user.
No explanation needed really. I was just wondering, as I think rack911 was given access to the repo for further investigation.
Free / pro bono or paid Im thankful for any of your insights. Again I was just wondering what happened on that vestacp issue. Then vestacp IIRC just hired another sec audit company ("Arcturus") instead.
Awaiting the similar audit from @jsg
CyberPanel got busted, pretty much.
Its a deadly combination, to forward input directly into the shell without validation.
.> @cazrz said:
Alot of misinformation on the internet on this one. Vestacp never worked with us on that level. We had tried to push paid audits on them but they always declined.
I would say that this is the guy you'd want to be working with:
https://github.com/myvesta/vesta/blob/master/README.md#myvesta-control-panel
myvesta seems to be good. But, they are debian only(no centos)!
And, from my understanding, currently not very good for reseller hosting setups.
Still, it's the only free open source solution that seems to be working and for which the developer is doing all they can to keep it as good as possible (and using it on their servers).
Would be interested in reading a security audit (and would be delighted to see more community support, it's practically a one man show for now).
IMHO this post is just a stunt or marketing. Traffic or for whatever purpose.
That's just my honest opinion.
Regardless of the motivations, the efforts have highlighted the security aspects of the various control panels and brought it to the front of people's minds.
Of course its a company, they do exist to make money.
Even if they say, its all free and no one paid them, its likely that they get a few costumers more.
Which may pay for the work they put into it.
But at the end, the benefits are on booth sides.
Not just one side, which is a fair trade as long its balanced.
Why a company trying to make money is seen as evil is beyond me.
What do you expect a company to do?
The word "company" triggers things like "Nestle".
Its all about https://en.wikipedia.org/wiki/Framing_effect_(psychology)
Rack911 is a company. Of course, they do have some targets on auditing for free those panels. Is this because they want to push people to use paid web panels instead of free ones? Is it because they want to continue their status as one of the most known auditing companies out there? Is it because they want to help not to be spread malwares, viruses and hacked servers on the net? Or having more data on the exploits and issues on panels for gaining more info when working on a paid task?
Maybe all of the above. But, at the end of the day, it is good having an audit company to do some checks to those panels and inform their developers.
It would be good, of course, if those developers do respond publicly (not in LET but in their website or forum) about the issues, the audit and their actions after.
And it would be also good if Rack911 wouldn't just write a number but also give some more info, not about the actual type of vulnerabilities but if, for example, one of the three of Vesta is a catastrophic one and non of the 15 of virtualmin is so dangerous.
That said, if you put aside Vesta developer's attitude (that is well know), it is pretty impressive that it is the free panel with the lesser vulnerabilities, together with ispconfig.
Impressive as the fact that virtualmin, has tons of vulnerabilities (of course, it is something that can be explained by the range of the features it has and the variety of OS can be installed to).
As of cyberpanel? This is a surprise by the fact that since long ago, they have backed up by litespeed itself to provide a panel that promotes the paid web server... It would be interesting to see what @cyberpersons has to state for this...
Won't happen. I'm way too desinterested in panels. Also all that PHP, Python, and Perl code is much too far away from my daily life. There are other who'll do a better job on that than me.
But still, as analyzing and verifying is an important part of my daily work I recognize when it's done well or not so well.
^ I get pissed off with my neighbours too.
Devs don't need to response to the article.
Just patch the holes. Words are cheap after all.
With all the emphasis on security (rightly so) there appears to be a total lack of comparison as to how they all perform, in respect to RAM, CPU & disc overhead, in particular.
I'd think that'd be appropriate for the lowend sector.
Well, they are a security audit firm after all.
They don't need to look at anything else.
I did mean in general terms. Apologies for the brevity.
Well, the point still stands. They specialize in security audit and that is their sole reason of existence.
Sticking to what they are good at is a good way to stay up.
Of course, some are too good at screwing up in which case they will go belly up sooner or later.
In a discussion on this topic at a local (Serbian) VestaCP group, I pasted a link to this thread. The author of MyVestaCP (Predrag Damjanović) is unable to register on LET (not getting a confirmation emails, support desk not working either apparently), so they asked me to forward this. So here it is:
(Just as a messenger here, nothing personally for, nor against both VestaCP and MyVestaCP, just that I'd be delighted to see a good quality FOSS alternative to both cPanel and DirectAdmin):
TL/DR - VestaCP author made the fix months ago.
EDIT: clarification
VestaCP author (Sergey) notified Patrick of the fix, but Patrick wanted Sergey to test and confirm the fix (i.e. Patrick didn't want to test the fix himself, expecting Sergey to do it and report back).
Tarzan English to Serbian to Tarzan English - things get lost.
The original quote:
"In fact, all three vulnerabilities are fixed on VestaCP - before 4 months - just nobody wanted to check it -
https://github.com/serghey-rodin/vesta/commit/743476ad73e4cd3b6efc4be61ed190d5f8dfc28d
Link for fixes is sent to Patrick - but Patrick expected from VestaCP devs to check fixes - but nobody did it at the end."
It is true that I've never gotten any sort of emails from LET except for the account confirmation email.
Shitloads of bots seem to register fine though, so I assume the email server is working.
No love for froxlor?
I think some people took my earlier comment the wrong way. I would rather know the details so I am glad of your detailed work, there is also nothing wrong with a little skeptacism so please don't take it the wrong way.
For a massive positive I really like how the vendor's communication was also taken into account as this is a big deal I feel.
zpanel is not listed. Must be because it's 100% bullet proof.
(Sorry for triggering you, @joepie91 )
You seem to not be up to date. How can it be bullet proof without calling the magic "MakeBulletProof()" function?
Thank you to the efforts and generosity of @SecNinja and everyone at @rack911 !
I thought you will also audit WiseCP of @Sitemio ? It's not a web hosting panel though, it's a billing panel.
It's a shame that https://www.keyhelp.de/en/ isn't that famous as the other free control panels as I really wanted to know how they fared.
@jvnadr
This issue date back to almost 6 months. We released a security fix just a few days after receiving an email from Patrick.
I gave my detailed reply regarding how we structured root escalation in our original thread, a direct link to the response is https://www.lowendtalk.com/discussion/comment/2998884/#Comment_2998884
Even the number is high, but they are the same issue, once we addressed the fundamentals, it's all taken care of.
More can be seen in the release log especially the release that is dated to
16th July, 2019
-> https://cyberpanel.net/docs/change-log-for-cyberpanel/Apart from that we are always trying our best and putting security first.