New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It's clearly vibe coded , idk much since it seems obfuscated but I can assume it's a major security risk to install this
Thanks for pointing this out — I took a closer look at the provisioning flow and made some improvements.
I've added a centralized sanitization layer (for usernames, domains, paths, etc.) and applied it across the critical areas in the provisioning code.
More importantly, I’m moving away from direct shell string execution and switching to safer patterns (argument-based execution instead of concatenated commands) to eliminate any potential injection risks.
If you spotted a specific exploit path, feel free to share — happy to patch quickly.
Appreciate the feedback — this helped tighten things up.
also there were a lot of copy pasted functions, hopefully thats just a bundling artifact and not you literally pasting all of the functions.
wow you really edited in that time huh?
orig response was around:
1. base64 for shell encoding
2. it was not a sensitive production secret so its ok
3. the setup script uses unescaped commands but because we control input its safe
Fair points let me clarify a couple of things.
You're right on the HMAC part anything shipped client-side shouldn’t be treated as a secret. In this case it's being used more as a request signing mechanism than a true secret, but I agree the design can be improved. Moving towards a proper asymmetric verification model (e.g. public/private key) makes more sense long-term.
Regarding the command execution good catch if you're referring to the runtime code and not just the installer. That’s exactly why I started refactoring the provisioning layer to remove string-based shell execution entirely. The goal is to eliminate any possibility of user-influenced input reaching a shell context.
On the earlier reply yeah, that was based on a quick pass over the installer, but after your comment I went deeper into the codebase and found areas that needed tightening. So I updated the approach accordingly.
If you have a specific example of an injection path in the Node.js side, I’d genuinely appreciate it happy to fix anything concrete.
You are way overcharging for this, I appreciate your intent with trying to replace a bunch of different tools - but you are here to compete in a market with extremely well established competition. You do not have the trust or recognition to warrant that sort of license fee. Not to mention with the slop-esque nature of your operation, you will have to do a lot to earn that trust.
On the positive side, the demo panel looks great, my biggest criticism of a lot of cPanel alternatives is that they don't quite get that mix of root/reseller and end-user UX right. I love(d) WHM and I find the patterns of everything else that usually mixes all user levels in to one UI to be a waste of time.
The reason I posted this on LET was specifically to get feedback from a technical community and catch issues early (especially around security and architecture). That’s already proven useful.
Some of the concerns raised (like command handling and parts of the provisioning flow) were valid, and I’ve already started refactoring those areas.
I’d much rather surface and fix these things now than later.
Appreciate everyone who took the time to dig into it even the harsh feedback is helpful.
Appreciate the feedback — that’s fair.
On pricing: yeah, that’s something I’ve been adjusting based on the feedback here. The idea isn’t to compete on being the cheapest option, but to bundle a lot of things that usually require separate tools (security, backups, app runtimes, etc.) into one stack. That said, I understand the trust gap for a newer project, which is why I’ve lowered pricing for early adopters.
And glad you mentioned the UI separation that was a deliberate decision. Mixing admin/reseller/user layers tends to get messy quickly, so keeping those boundaries clean was important from the start.
Still early, so a lot of this will evolve feedback like this helps shape it in the right direction.
at this point, anyone who thinks they need a "modern" panel with all kinds of switches and dials, really shouldn't be using a panel at all - and probably isn't. a solution in search of a problem nowadays...
Yeah, fair — the initial reply was based on a quick look at the installer.
After your comment I went back and reviewed the runtime code more thoroughly, and that’s where I found things that needed tightening — especially around command execution patterns.
So yeah, the approach changed once I dug deeper.
I’d rather correct it quickly than double down on something that can be improved.
Yeah, the whole code is insecure slop. I wouldn't touch it with a ten foot pole.
You should check Enhance.
Migration, multiple DNS servers, different servers for emails, backups, databases, etc. Backup is also powerful.
While I appreciate the new control panel popping up here and there, we will pass for now until there is a better cluster setup, such as Enhance.
2nd or 3rd time in a line of a year someone tries to advertise his unfinalized panel to introduce on lowendtalk, but in a matter of 3 months we hear nothing, what happened after going live.
In most times its a shitty LLM or AI generated design change to clame its all self coded shit, hiding behind different urls to not expose the thing or it fails from day one.
Haha Panel behind Host Lick Webhosting.
Stolen names to harm others possibly too, if not owners themselves.
host yabs:
looks like those ctfs i grinded werent useless after all
Where is username/password for Demo?
Thanks for taking the time to test this and for sharing the findings — genuinely appreciated.
You’re right to flag this. We’re actively reviewing and tightening this part of the execution flow, and the team is already working on addressing it properly.
At this stage, the panel is still under active and testing, which is exactly why it was posted here — to surface issues like this early and fix them before wider production use.
To be fair, this class of issues isn’t unique — most control panels (including established ones) have gone through similar security hardening phases over time and continue to evolve as new edge cases are discovered.
That said, the goal here is to eliminate these risks properly rather than patch around them, and feedback like yours helps a lot in getting there.
If you spot anything else, feel free to share — it’s genuinely helpful.
admin/admin123
The "—" in this message isn't on any normal keyboard and is a known proven AI tell-tell sign. This entire message includes many other AI signatures. Do you not speak English and chose to use AI translate or is everything you do AI?
Not sure how punctuation is relevant here 🙂
Happy to focus on any actual technical feedback if you have some.
lol
When the discussion shifts from the code to the person, it usually means the technical argument has already run its course.
Or it means the person isn't a person and is indeed an AI bot as multiple signs indicate.
Thanks again for testing this I’ve now tightened validation across the affected fields.
Entry file and related inputs are restricted to valid formats only, and any shell-related characters are rejected before reaching execution.
Re-tested with the previous payloads and they are now blocked at validation level.
Appreciate the detailed testing — this helped close the remaining gaps.
Thanks for taking the time to test and point things out — genuinely appreciated.
Feedback like this is useful and helps improve the project, which is exactly the purpose of posting here.
That said, personal attacks don’t really add value to the discussion. People who are actually building and working on things focus on fixing issues — not on attacking individuals.
If there’s any further technical feedback, I’m always open to it.
Are we discussing with AI bot, as there are so many "—"?
Pakistan + panel is allready a red flag.
Do you know, hetzner growing prices, is that worth for you? Meaning of loosing millions.
2 ai slop machines talking to each other, love to see it.
Aw fuck we're getting kloxo'd/HyperVM'd again.
Quick, light the @raindog308 torch!
Francisco
These all Vuln already fixed
Awesome. I recommend going through every form and think of what sort of characters should be allowed and just lock that down
no username on nix has special characters. It’s alphanum.
Francisco