Difference between revisions of "DBSA:2013-0001"
(Created page with "'''DBSA ID:''' {{PAGENAME}} '''Regarding:''' zPanel security practices '''Writeup:''' ~~~~ '''Date:''' 2013 05 15 '''Last Modified:''' {{REVISIONTIMESTAMP}} by {{REVISIONU...") |
|||
Line 28: | Line 28: | ||
zPanel is a system and hosting administration control panel, this software is open source and targeted toward hosting companies and economical small and medium sized project hosting. | zPanel is a system and hosting administration control panel, this software is open source and targeted toward hosting companies and economical small and medium sized project hosting. | ||
− | The project recently had an incident <ref name="Ref01">http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/</ref> where a researcher/user proceeded to report an exploit to the vendor. A representative of the vendor proceeded to disclaim the possibility that vulnerabilities exist in the zPanel platform after review by a consultant. Additionally, the vendor challenged the reporter to penetrate into their servers | + | The project recently had an incident <ref name="Ref01">http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/</ref> where a researcher/user proceeded to report an exploit to the vendor. A representative of the vendor proceeded to disclaim the possibility that vulnerabilities exist in the zPanel platform after review by a consultant. Additionally, the vendor challenged the reporter to penetrate into their servers and in the process insulted and otherwise was highly unprofessional to the reporter. The exploit and associated exploits were successfully utilized to penetrate, and compromise the vendors' servers. |
==Technical Details== | ==Technical Details== |
Revision as of 18:14, 15 May 2013
DBSA ID: 2013-0001
Regarding: zPanel security practices
Writeup: Kradorex Xeron (talk) 18:11, 15 May 2013 (EDT)
Date: 2013 05 15
Last Modified: 20130515181454 by Kradorex Xeron
Who should take note: System Administrators, Web Hosting Operators
Classification
Priority: IMMEDIATE
Rationale: Hosts and other web platforms utilizing zPanel should migrate away from zPanel as soon as possible.
Severity: MEDIUM
Rationale: Exploits are left unpatched, even if reported to the development team.
Spread of Issue: CROSS-PLATFORM LOW
Rationale: zPanel operates on Windows and Linux platforms, though considering other platforms are more common, spread is considered low.
Description
zPanel is a system and hosting administration control panel, this software is open source and targeted toward hosting companies and economical small and medium sized project hosting.
The project recently had an incident <ref name="Ref01">http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/</ref> where a researcher/user proceeded to report an exploit to the vendor. A representative of the vendor proceeded to disclaim the possibility that vulnerabilities exist in the zPanel platform after review by a consultant. Additionally, the vendor challenged the reporter to penetrate into their servers and in the process insulted and otherwise was highly unprofessional to the reporter. The exploit and associated exploits were successfully utilized to penetrate, and compromise the vendors' servers.
Technical Details
The vendor's website is http://www.zpanelcp.com. As of this advisory, the vendor's site is inaccessable.
Mitigation/Solution
It is strongly advised that zPanel's software suite be avoided and that those currently utilizing it migrate to other management platforms considering the vendor's approach to security.
References
<references/>