New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
also running dev license?
as far as i can tell, its a SPA with a node express api server. dont know where you got JS ssr from 💀
usually i wouldnt make random accusations of AI, but this seems like something that AI would hallucinate to explain a vulnerability.
and also, the vulnerability was from executing a shell command of concat ing bin & user input. using another language would not have prevented it. it was a logic error, nothing to do with the language.
Thanks to everyone who took the time to test and report issues it’s genuinely appreciated.
All previously identified vulnerabilities have now been addressed, including input validation gaps and unsafe command execution paths. Additional checks and safeguards have been implemented across both route-level and execution layers.
If anyone would like to continue testing or attempt further audits, you’re more than welcome any additional findings are appreciated and will be reviewed promptly.
Appreciate the feedback and effort from the community 👍
Many sloppies comment make this more funny, use ssr but vuln was input not sanitize, how is that require your to prompt the answer xD
So I understand you correct?
You let your AI write some program so you can make money selling it, but we should be the idiots to make it secure for you?
This is almost the exact line used by the last AI slop peddler who got laughed off the forum and ended up throwing a fit. You can't continue to improve something if you don't even understand what you wrote.
You aren't getting feedback the way you think you are. You are getting mocked and hacked while you still believe it's smart to start gearing up for production.
I doubt he even means that. It's probably just nonsense the AI hallucinated. I'm pretty sure he genuinely believed that his product was secure and nearing a production-ready state, given the fact that he's planning to start selling it "next week".
Looks like you’re correct, I actually checked the response from the server now
So yeah, this isn’t SSR.
If this is Express API server, then the issue people found is actually more critical than I first thought. We can’t blame SSR here. And honestly, even nowadays AI is capable of implementing proper input validation, so this looks more like a basic logic mistake than anything else.
so did you really go through the "panel and structure" or did AI hallucinate that too?
I don’t need to go through all that **.
Also, it’s bad practice to store things like roles in localStorage. unless if you have proper server side validation, it’s still unnecessary exposure. I mentioned it because I actually want this project to succeed.
{"id":1,"username":"admin","email":"[email protected]","first_name":"Admin","last_name":"User","role":"admin","status":"active","two_factor_enabled":false,"last_login":"2026-03-22T08:09:56.973Z","last_login_ip":"112.134.225.36","created_at":"2026-03-14T09:57:40.458Z","permissions":[]}
Good point regarding localStorage but just to clarify how it's implemented here:
The role stored in localStorage is only used for UI rendering (e.g. showing admin menus). Actual authorization is handled entirely on the backend.
Each request is verified using JWT (which only contains userId), and the role is fetched fresh from the database on every request. So modifying localStorage does not grant any additional privileges.
That said, I agree that storing unnecessary fields like last_login_ip on the client side isn't ideal and will be cleaned up to reduce exposure.
Appreciate the feedback this is exactly the kind of input that helps improve things.
Since we are expected to be your red team, are we getting paid for it?
If you want to improve this further, it’s better to move toward an in memory cache instead of hitting the DB on every request. You can still keep strong security, but you need to make sure things like token blacklists and role/permission changes are properly and atomically synced across memory.
If that part is handled correctly, you can achieve both performance and security without checking the database for every request.
You're absolutely right about the performance impact of DB queries on every request. I agree that moving to an in-memory cache with proper cache invalidation would give us both security and performance. will be implement thanks for your support
I get thr idea to source feedback from community. But here it simply reads like
If you really cared about security you would have attempted to get your code audited by a third party that specializes it something like this. You are talking about a web hosting panel, competing the likes of CPanel/ DA and security should be paramount ask rather than sloppy features that are nice on paper to sell but usage is typically low once initial setup is done.
Majority of this community, has technical acumen of a mustard seed, it can not and should not be used to find bugs.
@HPanel you should definitely not deflect the point so many have already made about vibe coding this panel. Acknowledge it and understand its workings. Do not blindly rely on AI. Hallucinations are a big reason why there are security lapses which lead to malicious actors exploit vulnerabilities. This just increases the blast radius once you have production clients.
But yes, this is NOT the right place until you have your i's dotted and t's crossed.
You are simply doing more harm in the longterm to your reputation.
PS: Yes, the community is knowledgeable and savvy but not everyone commenting here is having the ability to understand the codebase / workings including me.
But I know when to point out when folks which are smarter needed
Without valid third party security audit this will be limited to low end plankton. Not even close to be useable for business.
Team size of developers?
SLA?
Software built to vendor lock-in customers.
When panel use modular approach of some software, it can be replicated with another software. For example: litespeed used in cpanel and da. Maldet and mod_sec used in cpanel and da. This is advantage, not problem.
So called hpanel tries to invent wheel and vendor lock-in potential customer. Deceptive practice and wrong angle to attract business.
that happens, when you use an AI chatbot, to reply on a forum, instead of replying by yourself.
That’s not the fault of the bots, I’m the one who said it was SSR. I said that because I’ve seen similar server side validation issues more often in JS SSR apps in my experience, and I already have a bias against that stack.
Can anyone link the 2 previous threads for comparison/humor?
I laughed a little when I was able to reboot the demo from restart server section. Perhaps disable that function.
Loop it, it worth thousand words.
It’s also where iHostARTs website is hosted too 😂
i open all these functions for testing
Please add support for Bun!
Please open Terminal too for testing please
hpanel = highrisk panel
CREMS CHOCOLATES LTD 15347882 dissolved march 2025
SYED PRINTS LTD 13638687 dissolved march 2023
HOSTLIC LTD 12623752 dissolved july 2022
KTDL GLOBAL TRADE LTD 15375353 dissolved june 2025
HOSTLIC LTD 14252800 dissolved december 2024
SWIFTTRON LTD 12711071 dissolvdd december 2021
ALICRATE LIMITED 12803212 dissolved january 2022
Can guess MINSA PIVATE LIMITED is same person.
HOSTLIC WEBHOSTING LTD 16074397
Gone soon?
Someone is really unsure what to do with his life.
With this love of registering companies I'm surprised he hasn't registered HPANEL LTD too.
Damn.. this is sad news, I would have bought the chocolate :c
I just went to the backups page, entered
| service nginx stopas a hostname, and clicked on "test connection."LOL