A little history of security in ZPanel and Sentora:
ZPanel 5
When someone used PHP to reset my windows administrator password back in ZPanel 5 I added the use of php suhosin extension to blacklist exec and popen etc commands. This has been implemented at the virtual host level to stop any domains / subdomains using PHP to run commands on the system. The team then implemented the same restrictions on the cronjobs when this was highlighted.
A ZPanel forum member managed to browser the entire contents of my windows server back in ZPanel 5 and left me a text file in the D drive (not somewhere normally accessible through ZPanel). After this I implemented the openbase directory restrictions inside the virtual host settings to stop users of my free hosting service from accessing parts of the system they weren't supposed to. This restriction remains in place today to stop users using PHP to browser other parts of the system.
ZPanel 6
I made sure the above implementations were transferred across and helped with php suhosin on linux.
ZPanel 10.0.0
I introduced the use of PDO and binded variables (base code and example implementation in a module or two). The Sentora team including Bobby and Sam then rewrote the entire application to use the new PDO base class and bound all variables around all the modules and core. If there has been any missed code please report asap to a developer. We can then investigate and make sure to fix active code or remove inactive sections. (https://github.com/zpanel/zpanelx/commit...ad4fc7a5ae, https://github.com/zpanel/zpanelx/commit...985e365aee)
So a shout out to KwiceroLTD - if you find any more sqli issue please let us know!
This was a huge task for the development team and made the overall security of this control panel 100 times better. Also Bobby and Sam both implemented CSRF protection right the way across the application and all modules.
Sentora 1.0.0:
The protected directories module i recently completely rewrote to not use exec any more and eliminated several vulnerabilities, when time allows i'm hoping to continue rewriting each module to be more secure and add additional sanity checks. (https://github.com/zVPS/zvps-zpanelcp-htpasswd)
zsudo ... yes we know about it, has anyone sent a valid pull request to help us out? If so please point me to it. The team are working on a fix for this, most likely it will involve only allowing access to certain commands such as service reloads.
The file permissions do need fixing up, something we will review with an updater.
<hr>
The point of this post really is to say the only aspect of this control panel i have really worked on throughout it's history is the security of the panel:
Postfix default credentials - https://github.com/zpanel/zpanelx/commit...7c7b1d4595
Cronjob blacklist fixed - https://github.com/zpanel/zpanelx/commit...ee937edb4a
System command bind - https://github.com/zpanel/zpanelx/commit...b66501a6a1
Removal of protected directories - https://github.com/zpanel/zpanelx/commit...24be4563cb
Addition of new protected directories -
Fixed sql query to use binds - https://github.com/zpanel/zpanelx/commit...730e0ccd8f
Apache reload command - https://github.com/zpanel/zpanelx/commit...f29b0d211d
Implementation of standard class for running commands - https://github.com/zpanel/zpanelx/commit...aacd046cf2
Bind recursion - https://github.com/zpanel/zpanelx/commit...734fca76d1
So please help to secure the panel rather than just bashing the developers, we are actively accepting pull requests, however make sure to keep them small and to target one particular issue at a time. This way they are likely to be accepted quickly without any major reworks of active development.
ZPanel 5
When someone used PHP to reset my windows administrator password back in ZPanel 5 I added the use of php suhosin extension to blacklist exec and popen etc commands. This has been implemented at the virtual host level to stop any domains / subdomains using PHP to run commands on the system. The team then implemented the same restrictions on the cronjobs when this was highlighted.
A ZPanel forum member managed to browser the entire contents of my windows server back in ZPanel 5 and left me a text file in the D drive (not somewhere normally accessible through ZPanel). After this I implemented the openbase directory restrictions inside the virtual host settings to stop users of my free hosting service from accessing parts of the system they weren't supposed to. This restriction remains in place today to stop users using PHP to browser other parts of the system.
ZPanel 6
I made sure the above implementations were transferred across and helped with php suhosin on linux.
ZPanel 10.0.0
I introduced the use of PDO and binded variables (base code and example implementation in a module or two). The Sentora team including Bobby and Sam then rewrote the entire application to use the new PDO base class and bound all variables around all the modules and core. If there has been any missed code please report asap to a developer. We can then investigate and make sure to fix active code or remove inactive sections. (https://github.com/zpanel/zpanelx/commit...ad4fc7a5ae, https://github.com/zpanel/zpanelx/commit...985e365aee)
So a shout out to KwiceroLTD - if you find any more sqli issue please let us know!
This was a huge task for the development team and made the overall security of this control panel 100 times better. Also Bobby and Sam both implemented CSRF protection right the way across the application and all modules.
Sentora 1.0.0:
The protected directories module i recently completely rewrote to not use exec any more and eliminated several vulnerabilities, when time allows i'm hoping to continue rewriting each module to be more secure and add additional sanity checks. (https://github.com/zVPS/zvps-zpanelcp-htpasswd)
zsudo ... yes we know about it, has anyone sent a valid pull request to help us out? If so please point me to it. The team are working on a fix for this, most likely it will involve only allowing access to certain commands such as service reloads.
The file permissions do need fixing up, something we will review with an updater.
<hr>
The point of this post really is to say the only aspect of this control panel i have really worked on throughout it's history is the security of the panel:
Postfix default credentials - https://github.com/zpanel/zpanelx/commit...7c7b1d4595
Cronjob blacklist fixed - https://github.com/zpanel/zpanelx/commit...ee937edb4a
System command bind - https://github.com/zpanel/zpanelx/commit...b66501a6a1
Removal of protected directories - https://github.com/zpanel/zpanelx/commit...24be4563cb
Addition of new protected directories -
Fixed sql query to use binds - https://github.com/zpanel/zpanelx/commit...730e0ccd8f
Apache reload command - https://github.com/zpanel/zpanelx/commit...f29b0d211d
Implementation of standard class for running commands - https://github.com/zpanel/zpanelx/commit...aacd046cf2
Bind recursion - https://github.com/zpanel/zpanelx/commit...734fca76d1
So please help to secure the panel rather than just bashing the developers, we are actively accepting pull requests, however make sure to keep them small and to target one particular issue at a time. This way they are likely to be accepted quickly without any major reworks of active development.