# Feathur Launch (VPS Control Panel => 0.6.0.1 => Free For Private Use)



## BlueVM (Nov 6, 2013)

Alright so today we're launching Feathur (beta). As part of this launch we're opening up the GitHub and we're releasing our panel to the public. I'll start off with a quick Q & A, branch off into where to obtain a copy and then cover the future of Feathur.

*Basic Description:* Feathur is a VPS control panel based on PHP. Typical Feathur installers create a linux based nginx, php and mysql system (LEMP) with a built in PHPMyAdmin and control VPS via SSH connections. Feathur is designed to have global administrators and individual users. Each administrator can control all of the VPS in the system. Each user can control any VPS assigned to them by an administrator.

*Q: What virtualizations does Feathur support?*
A: Feathur currently supports OpenVZ and KVM.

*Q: What does Feathur cost?*
A: Feathur is FREE for private use. If you'd like to use Feathur commercially (EG: sell VPS) we offer licenses at $3.50 per server per month. There are no upfront fees or additional costs, just $3.50 per server per month. You can install and test out Feathur without purchasing a license.

*Q: If I need support where can I find it?*
A: We offer unpaid voluntary support via:
- Our Forums (http://forum.feathur.com)
- Our IRC Channel (irc.obsidianirc.net #feathur)
We offer paid support for those who have a license via ticket on our site. (http://feathur.com)

*Q: Is the code viewable/editable?*
A: Yes our code is viewable via: https://github.com/BlueVM/Feathur
If you want to contribute you're more than welcome to. If you want to modify Feathur to better suit your needs you're welcome to.

*Q: What license is Feathur released under?*
A: We had to write our own custom license. It's viewable at: https://github.com/BlueVM/Feathur/blob/develop/License.v1.txt
We aren't lawyers, we aren't pretending to be... if you have a suggested change to it let us know.

*Q: What prevents me from stealing Feathur's code and using it in another panel?*
A: In reality: nothing, but we'd greatly appreciate it if you didn't. Technically our license prevents you from stealing our code to resell it, but at the same time we hope you're a nice person and choose to pay for our code.

*Q: Has Feathur's code been externally audited?*
A: Yes, we've had it externally audited by a team of 4 separate individuals and most notably Vlad from Safe or Not.

*Q: Does Feathur have any bugs?*
A: Yes, it has a few known bugs, but most software does. We feel confident that Feathur is ready for day-to-day use without the need for outside support.

*Q: I've found a bug, where do I report it?*
A: Either on our forums or better yet here on our github.

*Q: Does Feathur support rDNS? TUN/TAP? PPP? IP Tables?*
A: Yes to all of these...

*Q: I like your project, how can I support it?*
A: If you can afford it consider purchasing a license of Feathur (it's $3.50 a month). We've spent a large amount of our own time and money (yes it costs money to have people audit Feathur and to pay for the design, etc... a lot infact). If you can't afford to donate, encourage your hosting provider to switch, contribute to our code, or just link to our site on your blog/twitter. All of the support is greatly appreciated.

*Q: If you're charging commercial providers for Feathur, why are you asking for support from the community?*
A: When we decided on a price for Feathur we could have gone with the industry standard, but instead we decided to release it with as little cost to the end user as possible (free/$3.50 if you're a provider). We did this so that the community could benefit from the project and the project would take in enough money to help pay for itself. We'll likely never make money on Feathur, but we'd appreciate recognition for our contribution to the community.

*How to obtain a copy:*

We've prepared several setup guides which are available on our wiki (click here).

*Installers include:*
Debian 6 Master
CentOS 6 Master
CentOS 6 OpenVZ Slave
CentOS 6 KVM Slave
Ubuntu 10.04 - 14.04 KVM Slave

You can choose to install the master and the slave on the same physical machine if you don't have a separate VPS/server to run Feathur's master server on. (Who here doesn't have a VPS sitting around idling?)

*What's in the Future of Feathur?*

We will be releasing updates at least every 2 weeks with new features, bug patches, etc... We will likely release patches and updates every few days and thanks to our update system they'll automatically be downloaded from our gthub within 15 minutes after we make them.

We plan on supporting backups, xen, virtual box, lxc and tons of smaller features. We'll be releasing an update which will allow users to download/upload backups of their own VPS as well as the ability for users to upload their own KVM ISOs (based on administrator preference).

We also have a new design in the works: http://prntscr.com/22g1ns

*Important Links*

Our Site: http://feathur.com
Github: https://github.com/BlueVM/Feathur
Wiki: https://github.com/BlueVM/Feathur/wiki

Bug Report: https://github.com/BlueVM/Feathur/issues

Forum: http://forum.feathur.com

License Checker: http://check.feathur.com

Questions, comments, thanks, etc... let us know


----------



## RiotSecurity (Nov 6, 2013)

Oh god.....

No, just no.


----------



## BlueVM (Nov 6, 2013)

@RiotSecurity - Thanks for the negativity right off the bat


----------



## HalfEatenPie (Nov 6, 2013)

Excited for this Johnston!  Congrats on launching the beta!


----------



## johnlth93 (Nov 6, 2013)

Cool, going to give it a try when i am free


----------



## budi1413 (Nov 6, 2013)

I'm trying the panel right now.


----------



## MannDude (Nov 6, 2013)

Nice! I beta'ed it a while back and it did what it was supposed to do!

Good to see it come out and looking forward to it getting more real world use. Everyone else, report back how it goes!


----------



## drmike (Nov 6, 2013)

$3.50 per server per month.. Nifty.  Good pricing.

VLD audited this?   That means something to me.  He's a real person offering such services and no lightweight either.

Hey, I am impressed.


----------



## BlueVM (Nov 6, 2013)

@drmike - Yeah we had him audit it along with several other "hackers". The whole goal behind the pricing is to pay for the project's development. Getting it this far has cost us quite a bit... so the licensing for commercial use is just there to help repay that and keep the lights on in the future.


----------



## fisle (Nov 7, 2013)

Congrats on release!

The "free for private use" thing is great. I might play with this at home


----------



## Zigara (Nov 7, 2013)

https://github.com/BlueVM/Feathur/blob/develop/feathur/includes/functions/vps.openvz.class.php#L25

https://github.com/BlueVM/Feathur/blob/develop/feathur/includes/functions/vps.kvm.class.php#L28


----------



## bfj (Nov 7, 2013)

That...that is fuckin AWESOME!

I should post a troll question on StackOverflow and see how many *facepalms*  /me bangs head on desk   and /wrists  I get!


----------



## BlueVM (Nov 7, 2013)

@Zigara, @bfj - If you have a suggestion or would like to contribute, please let me know. Otherwise go attempt to make your own panel instead of laughing at our work.

Yes, I should have used ctype_digit() and I should have compiled all the errors at the end so they displayed all at once to the user... I'll likely go back and rewrite that section in the future.


----------



## WebSearchingPro (Nov 7, 2013)

BlueVM said:


> @Zigara, @bfj - If you have a suggestion or would like to contribute, please let me know. [...]


I'm sure they accept pull requests  It is github after all.


----------



## clarity (Nov 7, 2013)

This is pretty cool. I will probably give it a shot to see what it can do. 

The only suggestion that I have is not to change the theme to your screenshot. That is very hard on the eyes.


----------



## wcypierre (Nov 7, 2013)

WebSearchingPro said:


> I'm sure they accept pull requests  It is github after all.


they do 

They had just got their first pull request


----------



## WebSearchingPro (Nov 7, 2013)

dclardy said:


> The only suggestion that I have is not to change the theme to your screenshot. That is very hard on the eyes.


I second this suggestion too after thinking about it for a bit. I think you would have better luck developing a simple way to theme Feathur so companies can match the look of their site easily.

I personally think BlueVM's Feathur would look nice with a dark theme to match their site, a candy looking theme just does not seem to match BlueVM's style.


----------



## bfj (Nov 7, 2013)

WebSearchingPro said:


> I'm sure they accept pull requests  It is github after all.


Right, because they are selling it and I want to give away my code for their profit. Thanks! (Not too mention there is TOOO much that needs to be changed)

@BlueVM, Just one suggestion ... hire a real coder, because anyone with a year of PHP knows NOT to use globals inside of classes. And any 2nd year coder knows NOT to use 50 nested if's. And any 3rd year coder knows TO follow some form of coding guidelines for consistency. And any Database coder knows NOT to alter tables dynamically in code.

I lied, my second suggestion is to use some form of coding standard such as Zend's Coding Standards. 

Not tryi...well yes I am trying to be a dick. But honestly, that is how bad that code is. I think hiring some Indians might be less of a security risk with just the same clusterfuck.

EDIT:

Oh and I don't plan on making a panel because I don't run a VPS business. But if I knew your host was running this panel, I would be very concerned as an end user. The code is obviously flawed and coded by someone with some or none REAL programming experience.


----------



## perennate (Nov 7, 2013)

WebSearchingPro said:


> I'm sure they accept pull requests  It is github after all.


Any modifications you make are owned by Feathur LLC (i.e., including the modifications themselves). I wouldn't even make any modifications to the code or submit a pull request without first consulting a lawyer or receiving written permission from them as it may very well violate their license. Even if it doesn't violate the license, though, you wouldn't own your own work, so it seems like it'd be a big waste of time.


----------



## bzImage (Nov 7, 2013)

This code is a deranged smurf, it looks like a blue nightmare.


----------



## Francisco (Nov 7, 2013)

bfj said:


> Not tryi...well yes I am trying to be a dick.


Going deep for sure >_>

Honestly, for what it's worth, Solus does the exact same shit *all* over their code. Anyone who has had a chance should get a decompiled copy of the *create* pages in Solus. It's the EXACT same thing. They have 8+ depth if statements to push errors/template data to the end user.

Francisco


----------



## bfj (Nov 7, 2013)

Francisco said:


> Honestly, for what it's worth, Solus does the exact same shit *all* over their code. Anyone who has had a chance should get a decompiled copy of the *create* pages in Solus. It's the EXACT same thing. They have 8+ depth if statements to push errors/template data to the end user.


Right, so why do we providers want another SolusVM security cluster fuck? This just goes to prove my point(s) even further.


----------



## perennate (Nov 7, 2013)

bfj said:


> Right, so why do we providers want another SolusVM security cluster fuck? This just goes to prove my point(s) even further.


Well, at least the source isn't encoded, so if there's a feature you want to add or a security issue you want to fix you could code it without relying on "Feathur LLC" (although modifying it may very well violate the license, because of the way it is written).

Fake edit: they're taking suggested changes to their license so if there's any lawyers on here you could check their license and let us/them know.


----------



## acd (Nov 7, 2013)

Out of curiosity, how does the license change if paying 3.5 USD per server per month?  What exactly is being sold if said software is offerred ....



> 9. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


_edit:_ Changes to unlicensed feathur don't appear to be explicitly prohibited, so long as the license checking system is not modified--though if the license system does checksumming or similar, you may be SOL. If anyone gave you crap about fixing bugs or making changes in a licensed copy not for redistribution, that would be sad, but possible.


----------



## perennate (Nov 7, 2013)

acd said:


> Out of curiosity, how does the license change if paying 3.5 USD per server per month?  What exactly is being sold if said software is offerred ....
> 
> _edit:_ Changes to unlicensed feathur don't appear to be explicitly prohibited, so long as the license checking system is not modified--though if the license system does checksumming or similar, you may be SOL. If anyone gave you crap about fixing bugs or making changes in a licensed copy not for redistribution, that would be sad, but possible.


There is no license checking system built-in to the software. There is an external one on their website.


----------



## drmike (Nov 7, 2013)

> bfj states: "@BlueVM, Just one suggestion ... hire a real coder, because anyone with a year of PHP knows NOT to use globals inside of classes. And any 2nd year coder knows NOT to use 50 nested if's. And any 3rd year coder knows TO follow some form of coding guidelines for consistency. And any Database coder knows NOT to alter tables dynamically in code."


So, I don't pretend to know a thing about PHP 

About this global inside of a class...  How else would one call a database connection inside such a class?

School me please.  Lots of folks will benefit from knowledge / example.


----------



## drmike (Nov 7, 2013)

Has anyone look specifically for security concerns?  Fran?

@BlueVM, can you comment on the vld "audit" and what was covered and if you are a customer of his company?  I don't want to seem too gung ho just because of name association.


----------



## Francisco (Nov 7, 2013)

Well, if you use a proper MVC then the database would be a library/class that would be extended into the core controller and then can be called at any point.

A lot of the exploits in WHMCS are because they use global variables and force register_globals on. What register_globals does is you could set a variable in the URL and it'd set a variable of the same name in your code, allowing you to inject things like a beast.

Justin wasn't kidding when he said there was 30k+ lines of code. I've not had a chance to audit very much of it but it would have been nice if he had used a more advanced MVC.

Most of the bigger MVC's have validation classes and things like that to make it so the 19 depth if statements don't happen. You feed it a few function calls and it's game.

I think the biggest issue I've seen so far is that they do raw SQL queries in the code. Now, they're using PDO's bindings which means SQL injects are pretty much not going to happen, but because they aren't pushing things into a Model, a column name change means they have to update every file that calls said column, instead of just that single file and a couple templates.

Francisco


----------



## perennate (Nov 7, 2013)

Francisco said:


> Justin wasn't kidding when he said there was 30k+ lines of code. I've not had a chance to audit very much of it but it would have been nice if he had used a more advanced MVC.


Feathur has ~4000 lines of actual back-end code. The rest are libraries and templates and such.

Also pretty sure that there's a theoretical vulnerability in the forgot password implementation -- it uses random_string, which utilizes mt_rand, which does not generate cryptographically secure random numbers. Then, an attacker probably would be able to find the state after generating enough forgot password strings (each one is 120 characters, I think you need about 2000 consecutive iterations to guess the state, so you'd have to forget your password 17 or so times). Then after finding the state attacker could just enter a victim's email address. Of course it'd be very hard to pull it off, but still should use cryptographically secure random numbers.

But overall it looks pretty well coded. Sure, there's some areas that need improvement (like nested if statements), but it's not a giant mess.


----------



## perennate (Nov 7, 2013)

Also exec statements could be done better; if you can't find a library that handles argument escaping, then implement something that does the escaping automatically from arguments instead of using escapeshellarg every time. Probably you could just pass in an array of separate arguments (including target to execute) and then have each element escapeshellarg'd.


----------



## ultimatehostings (Nov 7, 2013)

Congrats, so should the paid license cover any number of slaves? I was impressed with the combo feature, simply out of the box thinking.


----------



## perennate (Nov 7, 2013)

ultimatehostings said:


> Congrats, so should the paid license cover any number of slaves? I was impressed with the combo feature, simply out of the box thinking.


It's only $3.50/mo per node if I understand correctly. I believe the master node is free and each slave is counted.


----------



## wcypierre (Nov 7, 2013)

To be honest, I didn't really liked it when I executed this command:



> select user() = *root*@localhost


----------



## BlueVM (Nov 7, 2013)

perennate said:


> Feathur has ~4000 lines of actual back-end code. The rest are libraries and templates and such.
> 
> Also pretty sure that there's a theoretical vulnerability in the forgot password implementation -- it uses random_string, which utilizes mt_rand, which does not generate cryptographically secure random numbers. Then, an attacker probably would be able to find the state after generating enough forgot password strings (each one is 120 characters, I think you need about 2000 consecutive iterations to guess the state, so you'd have to forget your password 17 or so times). Then after finding the state attacker could just enter a victim's email address. Of course it'd be very hard to pull it off, but still should use cryptographically secure random numbers.
> 
> But overall it looks pretty well coded. Sure, there's some areas that need improvement (like nested if statements), but it's not a giant mess.


I'll look into this. Rather correct the issue in advance than run into it down the road.



perennate said:


> Also exec statements could be done better; if you can't find a library that handles argument escaping, then implement something that does the escaping automatically from arguments instead of using escapeshellarg every time. Probably you could just pass in an array of separate arguments (including target to execute) and then have each element escapeshellarg'd.


They probably could be done better. As a matter of fact you have a point. I'll consider coming up with a better method and perhaps do something similar to the template engine and escape all the variables passed to it.



perennate said:


> It's only $3.50/mo per node if I understand correctly. I believe the master node is free and each slave is counted.


That is correct. If you intend on using it for personal use it's free under the assumption you'll have 5 slaves or less.



drmike said:


> Has anyone look specifically for security concerns?  Fran?
> 
> @BlueVM, can you comment on the vld "audit" and what was covered and if you are a customer of his company?  I don't want to seem too gung ho just because of name association.


Vlad did a full line by line code audit (and he audits our github as we make patches).


----------



## telephone (Nov 7, 2013)

Looked over the code for about 5 min and found a nice little exploit. While it doesn't compromise the system, it does cost the admin $$$, and could cause annoyed users.

--------------------------------------------------

A "forgot password" function without limitations... What's the worst that could happen  :lol:

1) System confirms whether email address is associated with an account

      - In short, I can find who's a user (Important in the next step)

2) No rate limiting

      - I can check email dumps to see who's a user

         - I could also check dumps for an old/current password, e.g. WHMCS dumps.

3) Connected directly to SendGrid API, without a 'cool down' period

4) No database check

      - Mwahaha!!! x 100!

5) You have CSRF fields, but do not use them...

6) Putting all of the above together, I can email bomb your users with unlimited "forgot password" emails

I went easy and only sent you 500 or so emails  B). But I could have run you up hundreds of dollars on SendGrid... Others might not be as nice.

Without further ado, it's time for me to be an ass and reveal a means to exploit :


Paste in CLI:

for ((n=0;n<500;n++)); do curl -d "email=admin[email protected]" "https://feathur.bluevm.com/forgot.php?action=forgot" > /dev/null 2>&1 ; done
 
opcorn: opcorn:  opcorn:

--------------------------------------------------

*How to fix:*

1) Disable your "forgot password" function before you or your users get email bombed!

2) Displaying whether email exists is trivial. Majority of developers still don't consider it an exploit (as it just shows said email account is a user), but when it's for a mission critical app such as a control panel, I feel that information shouldn't be displayed... Especially for admin accounts.

3) Create a new column in the users DB that marks whether "forgot password" is active. Rate limit this feature to once per 24 hours, per account.

4) Limit "forgot password" attempts to X attempts per IP, and further limit it to one successful "forgot password" attempt per IP.


----------



## BlueVM (Nov 7, 2013)

@telephone - Pushed an update which prevents large numbers of requests. It currently limits forgot password and login requests to three per ten minutes.

Thanks for the feedback


----------



## Kruno (Nov 8, 2013)

Congratulations on pushing this to the public. Honestly, I thought this would be yet another failed project as the other 10s there were announced at one point. 

Was this your first serious PHP project?


----------



## BlueVM (Nov 8, 2013)

@Kruno - No I've developed a few other large projects (mostly behind closed doors).


----------



## HalfEatenPie (Nov 8, 2013)

Kruno said:


> Congratulations on pushing this to the public. Honestly, I thought this would be yet another failed project as the other 10s there were announced at one point.
> 
> Was this your first serious PHP project?


And now here comes the back-handed dickish compliments.  Way to go!


----------



## Flapadar (Nov 8, 2013)

I've only given this a brief look over but it looks like you can change your own username to one that's already in use, Since the forgot password functionality uses email address rather than username that can't be exploited to gain admin access (unless you got lazy and just used the username in a query rather than the userid) - but it might cause problems with the login and could potentially be used to e.g. lock someone out of their account


----------



## BlueVM (Nov 8, 2013)

@Flapadar - The way the system works is based on email. The username is just there to make the user feel better. It doesn't impact administrators in anyway and the system doesn't use the username field for anything (at all).

If you enter someone elses email into the forgot password box their password remains the same. It only changes if they click the link and proceed to enter a new password.

Also you entering their email into the login box over and over will only ban your IP not theirs from login.


----------



## RiotSecurity (Nov 8, 2013)

Ogawd.

What the fuck did I just read....

https://github.com/BlueVM/Feathur/blob/develop/feathur/admin.php

Oh my god. You're serious, right?

https://github.com/BlueVM/Feathur/blob/develop/feathur/admin/createvps.php

Points:

1) Why are you using a shitty loader?

2) Why not use PHP's default auto loader?

[...]

$sType = $_GET['type'];

        $sTemplates = $database->CachedQuery("SELECT * FROM templates WHERE `type` = :Type", array('Type' => $sType));

 

oh god.


----------



## BlueVM (Nov 8, 2013)

1. I suppose you're right on the autoloader. Perhaps I'll update the code to support that.

2. I don't see the particular issue with that line of code. It's admin side, if you have an admin pulling things from the database they shouldn't be, you have more issues than code itself can solve.

--

Bottom line: It's your preference for how the program is coded, there's nothing particularly wrong with the code.


----------



## matt[scrdspd] (Nov 8, 2013)

Always nice to see new projects out there. Congrats on the launch @BlueVM.


----------



## sundaymouse (Nov 8, 2013)

The master server installed as according to the tutorial in github goes out to be 0.5.6 version. I also found that add server function doesn't seem to work, as the page white out after you press the submission.


----------



## BlueVM (Nov 8, 2013)

@sundaymouse - Mind if I take a look at your install? I haven't seen that before (our copy has no issues with adding servers) so I'd like to see what causes it...


----------



## sundaymouse (Nov 9, 2013)

BlueVM said:


> @sundaymouse - Mind if I take a look at your install? I haven't seen that before (our copy has no issues with adding servers) so I'd like to see what causes it...


I installed the master in your $1/mo 256MB OVZ. And unfortunately I have already reloaded the OS. Never mind, probably the problem with low memory and phpcgi dying out. I will try the installation on a larger RAM later.


----------



## BlueVM (Nov 10, 2013)

@sundaymouse - Alright let us know if you need anything...


----------



## libro22 (Nov 12, 2013)

Francisco said:


> Well, if you use a proper MVC then the database would be a library/class that would be extended into the core controller and then can be called at any point.
> 
> 
> A lot of the exploits in WHMCS are because they use global variables and force register_globals on. What register_globals does is you could set a variable in the URL and it'd set a variable of the same name in your code, allowing you to inject things like a beast.
> ...


Is extending a class better than using a 'registry' class? I'm quite new with MVC.


----------



## perennate (Nov 20, 2013)

Feathur is now free software, under AGPL.

http://lowendtalk.com/discussion/comment/384333/#Comment_384333


----------



## peterw (Nov 21, 2013)

Francisco said:


> I think the biggest issue I've seen so far is that they do raw SQL queries in the code. Now, they're using PDO's bindings which means SQL injects are pretty much not going to happen, but because they aren't pushing things into a Model, a column name change means they have to update every file that calls said column, instead of just that single file and a couple templates.


Database models are very important and should be used in every project, because schema upgrade and validation can be done automatically.


----------

