New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
agreed.
Username validation has now been tightened to allow only safe alphanumeric formats (no special characters), aligned with standard Linux user constraints.
Invalid inputs are rejected at the validation layer.
Appreciate the suggestion
I'd recommend asking for this thread to be closed, and to research fundamentals of data security such as input validation. Once you have done this, come back and ask for it to be opened. LET is a highly critical community, you must come across as experienced if you want any level of success.
AI is the great enabler, but it can also make you look bad and kill your reputation before it even begins. Every response has the em-dash, the UI is clearly entirely vibe-coded and overall I'd already not be willing to test this project from what we have seen.
As a provider, we'd be trusting you with the data of our customers which could make or break our business, and also have legal implications. You need to spend more time on your initial development before asking for feedback as this is not normal feedback you should be wanting from your users, it should be user experience, not to find major security holes.
Wow
So HPanel has already been hacked
Wow
I am always eager to check new software, some findings are really promising, but i didn't go past your website, you have a company page that shares no info about your company, you should consider adding that or make clear this is a hobby project which is fine, either way it make me think that something shady or not serious enough is going on
Yep. Took just a few days. This is hilarious.
At this point, I genuinely think OP should have their Patron Provider tag removed. They:
Disclaimer: This is my opinion bout the logo only. Not the functioning or anything.
i agree, just because they paid for that role doesnt mean they should be able to promote a product of such low quality.
im not a professional security researcher, but i was still able to quickly identify that vulnerability. im sure there are still many more in the newer versions.
the commands are all run as root, so its fundamentally insecure, even if this specific shell injection was fixed
There have been several AI slop bots that have come here and peddled insecure products lately, and they all argue in the exact same way (which is why I'm convinced this guy is using an LLM for responses, not for translation). In every case, once you point out a severe security vulnerability, it replies saying that that's a "fair point" and that it's been fixed, but it refuses to understand that more issues lurk. It will demand endless proof.
lol quite interesting i've noticed the same thing almost looks like same person with different profiles.
That's because they aren't even reading or writing the responses the majority of the time. They just copy-paste the conversation into their LLM and copy-paste the output here, so even the substance of the arguments themselves (not just the wording) is identical.
wait is this happening again already? appreciate that.
You do know changing the capitalisation of the first letter of something doesn't make it different, right?
I hope you plan to register it as a trademark before Hostinger do.
Copyright exists based on proof of usage historically before another entity.
😊
It's not always necessary to formally register a trademark. Mere use is enough to have some level of protection. However, I all of hPanel's (severe) issues aside, I don't think trademark infringement is one of them. For a trademark to be infringed, you have to prove that they compete directly in the same market and people are likely to confuse one with the other.
You could sell a product called a Macintosh if it's a circular saw, but you couldn't sell a computer with that name. You could create a company called Amazon if its industry is Amazon river tours, but you could not provide a generic delivery service with that name.
This is why Cisco and Apple aren't at each other's throats over their (very valuable) IOS/iOS brands: No one is going to confuse a mobile phone OS intended for the average person with an enterprise router OS intended for networking engineers, despite both being not just software, but operating systems. Likewise, OP's hPanel is not likely to be seen as a direct competitor to Hostinger's internal hPanel despite both being web control panels.
Your stack is solid overall, especially the isolation with cgroups v2 and per user PHP-FPM. The lightweight footprint is also a big plus.
The main concern is SSR from a JS framework in a hosting control panel. This environment is inherently high risk with multi tenant data, filesystem access, and sensitive server side state. Typical SSR setups can easily expose things like internal APIs, or create injection paths if rendering is not strictly controlled.
If you keep SSR, it should be treated as a very thin rendering layer with no direct access to core services. A proper BFF layer should sit in between and handle all data access with strict validation and request scoping. Each render must be fully isolated per request, and CSP with per request nonces should be enforced properly. Sensitive data should never be part of the SSR payload at any point.
If you want stronger guarantees, moving the BFF or even the rendering boundary to Go or Rust is a better approach. It gives more predictable execution and tighter control compared to typical Node SSR setups.
If you want, I can help design a clean BFF and SSR validation flow for this.
Solid, except vulnerable to remote code execution.
Are... are you joking right now? Did you really just post an AI's reply directly without even removing that final tell? You know pure AI content without humans is not allowed here, right?
No, I’m not joking. I wrote that and used AI to clean up the wording since my English is not that good. The main point still stands.
I mostly work with Go and Rust on backend systems where isolation and security really matter. If you’re interested, I’m happy to help think through a proper BFF layer and SSR boundary with stronger validation and request isolation.
"If you want, I can help design a clean BFF and SSR validation flow for this." is not AI translating for you. That's AI copy-paste. Anyway, the AI was wrong in its analysis: the code is insecure garbage.
Maybe you haven’t fully checked the demo.
From what I’ve seen so far after going through the panel and structure, the system actually has a decent design and covers most of the required functionality.
From my perspective, the main concern is more about using JS for the backend in this context, not that the entire system is insecure garbage.
You can’t really make that kind of conclusion without a proper review. Looking at what they’ve built vs what’s missing (which seems relatively small), it’s not fair to assume those gaps can’t be fixed.
Seems like bro forgot the magic words when he created the app.
Don’t worry, he has added them now, and this is now perfectly secure software that's worth its money 🤡
What about demonstrating an RCE in mere minutes?
This is more of a general problem with JS SSR frameworks. It’s not that Next.js or Express can’t be secure, but in practice it’s much harder to do it properly. Developers have less control compared to something like Go or Rust, especially around isolation and request handling.
But this isn’t some impossible issue. we can fix most of it with a proper BFF or gateway layer. even if there are 300+ endpoints. It can actually improve performance too.
I’m here more because I’m interested in a new cPanel alternative. CloudLinux is still built around older kernel assumptions, and cPanel is slowly becoming a monopoly. This project actually has a better architecture direction, so it makes more sense to help make it secure rather than just ignore it.
Since it's AI slop, I wouldn't get anywhere near it. Anyone can make something like this, and this is too badly broken to be fixed without a rewrite. A rewrite that OP, mind you, does not have the skills to do.
Using Rust for a web backend is a bit odd. It's a systems programming language.
I don’t really agree. We use Rust as a gateway layer even for systems built on Python stacks, and it makes a big difference in security and performance, especially for older or less secure setups. With Actix and Moka you get solid control and performance, and using things like tokio command and tokio fs gives much better control over commands and file operations than most standard libraries in other languages. Rust fits this role pretty well.
Sorry but this is a lost cause.
If the dude "coding" this, doesn't understand what his code is actually doing without asking his chat bot, what are you suppose to do here?
About everything can probably have security issues and the codebase of a project this size is definitely getting really messy.
Also, its a commercial closed source project, so no qualified programmer will ever see the code anyways 🤷
I also thought the same at first. The only silver line I saw was the usage of cgroup v2.
We have done similar types of project for a client, but with much better namespace and fs isolation than this. So it’s definitely possible to do this properly.
I don’t think this architecture is designed by AI, but yeah you are right about the coding and the stack this looks like a very common ai vibe stack.
does the h in hpanel stand for hostlic?
nvm found the answer
https://www.reddit.com/r/webhosting/comments/1rq2we2/after_years_of_using_cpanel_i_decided_to_build_my/
No system is immune to vulnerabilities even mature panels like cPanel or DirectAdmin regularly patch security issues.
The important part is identifying, fixing, and continuously improving which is exactly what this early feedback phase is for.
Someone really doing meta on youtube "How I get $100k by using AI no coding 1000% works"
You're selling a product that a bored guy on a forum for cheap VPSes was able to fully compromise. You are in way over your head. There is a difference between "nothing is perfectly secure" and "randos on a forum for cheap hosting can break into it with ease". Before "continuously improving" comes "learning how to program".
You are only doing more damage to your brand by staying here.
I get where you're coming from the initial issues were real and already acknowledged.
But let’s be clear: this thread was posted specifically to find problems early
Pointing out vulnerabilities is useful repeating the same narrative after fixes, or turning it into personal remarks, isn’t.
If there are still concrete issues, I’m open to hearing them. Otherwise, I’ll focus on continuing to improve the system rather than going in circles here.