ksoftirqdx

[HalfEatenPie]

Do you realize that you keep rolling an old story that since then we did 2 releases? And I'm in the team since only 3 month's, using it on my own servers and won't EVER accept that security is taken not seriously.


Now you talk about zpanel servers taken down. Are you aware that the severs were taken down when the admin saw that some account got compromised? It was precaution. And that the mighty joepie took over another server not running zpanel but using brute force? That helped him later gain control over the forum?

This is not the first issue an open source project face. Who remember kloxo? Or even check Plesk CVE? Phpmyadmin! Roundcube.


All I can say if you have any security issues I will do my best to escalate or fix it. And latest we got I saw the fix rolling in 24h! Just check the announcement sections.


Zpanel is open source for the community and everybody is welcome to improve or fork it and it's on github now.

M B

My point was not specifically on the issue of compromised services but mostly the response the "project coordinators" had.  From my perspective they simply shrugged it off instead of even attempting to investigate it and later (once it became even more public knowledge) it was exploited.  You advertise yourself as a FOSS project.  Awesome!  You advertise that your software can be used in a more high-priority environment.  But, does not respond well to security concerns when they were initially brought up.  Not awesome.  

zPanel can change.  Sure.  It probably has changed.  Awesome.  But so far it hasn't proven (at least to me) the way they addressed problems.  Hopefully you joining the team has improved this greatly.  

 

[jarland]

Again no argument... It's just zpanel.... Did you check the bug fixes since then?

Nope, I don't use it.

 

[wlanboy]

Sir,

I'm a member of Zpanel team, your claim is totally out of the context. you talk about zpanel taking month's to fix any flaw.

Most of the trashing here is over Zpanel 10.0.2 and even that we issued fixes within 2 days far from all the bashing it took month's.

I'm new to the team since 3 month's and what I saw [...]

I did run two zpanel instances for months and I migrated each one to VestaCP.

Right out of the reason how (at that time) people which are responsible for the project handle things.

Like yourself.

Zpanel is superb, best of the best and everyone who is telling something about problems is a liar and trasher.

But I will stop saying anything of zpanel - you just confirmed my decision.

I will never use zpanel again.

 

[Me.B]

I did run two zpanel instances for months and I migrated each one to VestaCP.

Right out of the reason how (at that time) people which are responsible for the project handle things.

Like yourself.

Zpanel is superb, best of the best and everyone who is telling something about problems is a liar and trasher.

But I will stop saying anything of zpanel - you just confirmed my decision.

I will never use zpanel again.

I'm new to Zpanel TEAM but using zpanel since over a year.


Sir great for you if vestaCP fits your need or Cpanel or Plesk.

All my statement didn't say that zpanel is perfect but that we care for security and all comments are welcome so we can improve the product, so don't twist my words here. 

Zpanel still have many bugs to be fixed and many features that must be plugged in. I feel more and more that zpanel trashing is getting personal. It's not about the project it self, it's turning over the team. Did you saw my replies in zpanel support forum before? I've just used zpanel and all I tried to do when joining zpanel is helping improving the product and ensure also that security is OK, not do like so many just bashing the product without using it or following it.


So if any had solid arguments over zpanel security I'm happy to hear them and forward them. If it's an ego problem/personal I can't fix it.


I'm just trying to figure out what's wrong in Zpanel so I fix it at least for myself...

 

[Me.B]

My point was not specifically on the issue of compromised services but mostly the response the "project coordinators" had.  From my perspective they simply shrugged it off instead of even attempting to investigate it and later (once it became even more public knowledge) it was exploited.  You advertise yourself as a FOSS project.  Awesome!  You advertise that your software can be used in a more high-priority environment.  But, does not respond well to security concerns when they were initially brought up.  Not awesome.  

zPanel can change.  Sure.  It probably has changed.  Awesome.  But so far it hasn't proven (at least to me) the way they addressed problems.  Hopefully you joining the team has improved this greatly.  

So check here:

http://forums.zpanelcp.com/Forum-News-Announcements--36

I don't have any gain from cheating here... I don't care for my ego as I'm not the main developer here but mainly more a user.


We got a report over pchart bug 

http://www.pchart.net/advisory

A zpanel user pointed it could lead to RCE. I can ensure you 24h hours later the infos led to this announcement:

http://forums.zpanelcp.com/Thread-Pcharts-Urgent-Vulnerability-Fix

This happened 21 Feb, It triggered an internal discussion over reviewing third party software in zpanel and thus rouncube that had too a bug, so we need to update it:

Issue 4 days later another announcement:

http://forums.zpanelcp.com/Thread-RoundCube-Urgent-Security-HotFix

And  a week later we pushed 10.1.1 after we rushed for testing. As it was not only a security fix but had some minor fixes that needed to be tested.


This is how I saw zpanel team working and you don't have an idea how much time we need to test the software or in support.


So if you think it's not enough, I will be happy to hear how it can be improved further, notice the problem that most users too love Free FOSS and don't try to spend time on it. It would be great if we get more help from security experts unhappy over zpanel security. That would improve the problem and may be in the future we gain back trust.

 

[Patrick]

You just linked to 3 posts, you only allow 3 post views per IP. That's just stupid considering we have to register to a forum to view patches because you guys couldn't be bothered to test before releasing updates.
 

You've exceeded the maximum number of posts (3) you can view as a guest. To remove this message and become a member please register a free account. It will only take a few moments and you'll be able to view posts normally.

 

[Me.B]

You just linked to 3 posts, you only allow 3 post views per IP. That's just stupid considering we have to register to a forum to view patches because you guys couldn't be bothered to test before releasing updates.

It would be a very good point if you were really using Zpanel not just looking for argument to say those stupid guys don't take security seriously!

In Zpanel you have already a module zpanel news reading RSS from announcement section. So you will see the new annoncement then you would go to the forum reading. Indeed there is a 3 posts view limitation and then? Registration is free and will allow you to ask for free support.  I saw other panels requiring registration before downloading and no one called them stupid. I would say it's annoying. But you are not barred from reading headlines.


Notice on facebook zpanel announcements are open... And I back a blog for announcement.


You argument have some ground over security sections only. And I will forward it to the team.

so thanks @Patrick


M B

 

[Me.B]

See here how Zpanel is trashed with bad faith:

http://www.liatsisfotis.com/2014/01/multiple-vulnerabilities-in-zpanel-1002.html

Post date 1/January while he claim this got unpatched for 10 month's until 10.1.1.

That's totally wrong as we got before 10.1.0 released 4-8-2013 ! 

While emergency patch released 2-4-2013 

http://forums.zpanelcp.com/Thread-ZPanel-HotFix-Please-ensure-you-apply

Notice his first post over zpanel 10.0.2 was:

http://www.petrosandreou.com/2013/07/multiple-vulnerabilities-in-zpanel-1002.html

4 July ...

Now backing it took month's is totally exagerated while he posted over the flaw after zpanel made it public!

 

[HalfEatenPie]

@Me.B

Relax. I understand you really enjoy being part of the ZPanel team and I understand for you it's a project to get behind. Unfortunately for myself (and a few people on here) it's not. My opinion on ZPanel is basically "never using it again" especially with the way the project lead responded (obvious paraphrasing but "It's an enterprise-level software" to "contribute it yourself"). If I recall ZPanel's theming system still uses (or used to) PHP's EXEC command (I don't know if they've fixed this yet nor have I actually actively checked) which is a huge no-no. Actions like these makes me lose faith in a development team and questions what other major mistakes have they done that we haven't caught.

People make mistakes. It's a given fact. We're all human. But the way the project head has responded to some answers even before the hacking incident shows me that I can't put my support behind it.

 

[peterw]

You need to spend a lot of time until people trust the zpanel team again. There are enough other panel so I will not use zpanel again.

 

[Me.B]

@Me.B


Relax. I understand you really enjoy being part of the ZPanel team and I understand for you it's a project to get behind. Unfortunately for myself (and a few people on here) it's not. My opinion on ZPanel is basically "never using it again" especially with the way the project lead responded (obvious paraphrasing but "It's an enterprise-level software" to "contribute it yourself"). If I recall ZPanel's theming system still uses (or used to) PHP's EXEC command (I don't know if they've fixed this yet nor have I actually actively checked) which is a huge no-no. Actions like these makes me lose faith in a development team and questions what other major mistakes have they done that we haven't caught.


People make mistakes. It's a given fact. We're all human. But the way the project head has responded to some answers even before the hacking incident shows me that I can't put my support behind it.

Thanks. But to make it clear the old nag over zpanel theming system is totally out of context.


1. Themes now use bootstrap and no one can add them thru the panel you should go manually and upload the files.


2. ALL The panel have phpexec enabled, AS it's a panel and need to execute external command to get things done. How do you expect a panel to work without phpexec?

3. The row was that that themes could use php exec it's a total non sense man. Check zpanel code and you will see how it works. Themes are unlike WP or such it's only admins that handle them first. Like many other features. When I hear this blame over themes I feel it's totally not having any ground for any one understanding how zpanel works and I see why the leader got frustrated over this row. He tried to explain that themes are meant to be manipulated only by admin while "the hacker" was pushing over and over, you have a flaw. I can do anything with them. Indeed with zpanel admin rights I can upload too modules that can take over the whole server too... Hope you see the non sense of the claim. Zpanel had more serious issues that was not reported then over LFI exploit, as the team annonced it and fixed it.

See here a report zpanel website hacked!!

http://forums.zpanelcp.com/Thread-My-zPanel-is-hacked-Files-have-removed

I checked my self the server, he got CMS + phpBB modded.... And found nothing 

So the problem with zpanel bad press we made the headlines and no one checking for the real story and check the facts. I use zpanel and looked for facts before moving in, so I care over security.


M B

 

[Me.B]

And to be a bit rude here. I don't care if you want to use Zpanel or not. It's not the issue.

I just want facts and security reports/advises from experts over what we could improve in security or what we missed so we can beef up security. All those I confronted bashing zpanel none had pointed me a flaw, all was "it's on the news zpanel is not secure".  

 

[HalfEatenPie]

And to be a bit rude here. I don't care if you want to use Zpanel or not. It's not the issue.

I just want facts and security reports/advises from experts over what we could improve in security or what we missed so we can beef up security. All those I confronted bashing zpanel none had pointed me a flaw, all was "it's on the news zpanel is not secure".

I don't think you're getting my point.

ZPanel is an easy to use, enterprise class web hosting control panel with support for unlimited resellers. From the largest business to SOHO or development environments, ZPanel can support your needs.

Source: http://www.zpanelcp.com/about/features/

1. The project is totally open source so any one could fix flaws reported.

(This basically an indirect way of saying "We call ZPanel an enterprise class solution but if a problem happens you can fix it yourself")

My opinion on ZPanel is basically "never using it again" especially with the way the project lead responded (obvious paraphrasing but "It's an enterprise-level software" to "contribute it yourself")... Actions like these makes me lose faith in a development team and questions what other major mistakes have they done that we haven't caught.

People make mistakes. It's a given fact. We're all human. But the way the project head has responded to some answers even before the hacking incident shows me that I can't put my support behind it.

Of course scripts should use EXEC. But EXEC should NEVER be used in a theme for WHATEVER reason. It's called Risk Management (i've already linked this a ton even on this forum alone) and the development team should be working to minimize this.

Also, ignoring the EXEC problem. My problem is with the Project Lead and his responses. People screw up. Solus has screwed up, WHMCS has screwed up, everyone screws up. The important part is the response that comes with it. I feel like the Project Lead was way too... I can't put a word to it, but just used words whenever it was convenient for him.

Edit: And I'm going to drop this conversation (at least my part for now) here. I feel like it's going in circles.

Edit 2: Fixed a few things like a few misspellings and added the quote from the site + previous post.

 

[HalfEatenPie]

And to be a bit rude here. I don't care if you want to use Zpanel or not. It's not the issue.

I just want facts and security reports/advises from experts over what we could improve in security or what we missed so we can beef up security. All those I confronted bashing zpanel none had pointed me a flaw, all was "it's on the news zpanel is not secure".

Also to be on the same level as this quote (my apologies for being rude right here, and I just broke my previous edit's statement haha). I don't care if you support ZPanel or not. What I care about is my clients running possibly free vulnerable software that gets hacked and our services get utilized to perform an attack on an innocent individual (or basically be used for negative purposes). Yes we have systems in place to minimize this but again, you can't be too careful. This is again Risk Management right here.

 

[Me.B]

Also to be on the same level as this quote (my apologies for being rude right here, and I just broke my previous edit's statement haha). I don't care if you support ZPanel or not. What I care about is my clients running possibly free vulnerable software that gets hacked and our services get utilized to perform an attack on an innocent individual (or basically be used for negative purposes). Yes we have systems in place to minimize this but again, you can't be too careful. This is again Risk Management right here.

Great here at least we agree. BUT you must too agree WP/ Joomla/PHPbb and all alike are a big mess, especially when you get them with newbies that won't update anything. I'm in hosting biz since over a decade and I still fight with this CMS mess all the day, had to shutdown customers all the time over that. I can't ban them using WP / Joomla so I ended up helping them hardening their solution or trying to reduce surface attack. I do the same over zpanel, as I change some default settings. So despite you don't think Zpanel so good your users might still use it. So either you could help us, if you notice anything we should fix. 

Even cpanel with newbies can turn into a mess and this the big problem in VPS users, I see a lot moving from a shared managed service to self managed VPS like they have a magic wand to admin all servers issues.


So and to show again how this discussion is out of the scope of the first post no one looked for the origin of the problem reported it was only bashing zpanel lack of security, while we managed to look over this to find this issue not related to zpanel but ubuntu IRQS:

http://askubuntu.com/questions/7858/why-is-ksoftirqd-0-process-using-all-of-my-cpu

This didn't prevent me from taking some feedback over security annoncement might be in a Blog alike not in forum and I'm currently checking this ridiculous theme "non issue" so we lock it down, so we move into serious talk as some are still not getting it and don't want to check how.


M B

 

[Patrick]

It would be a very good point if you were really using Zpanel not just looking for argument to say those stupid guys don't take security seriously!

You argument have some ground over security sections only. And I will forward it to the team.

so thanks @Patrick


M B

My clients unfortunately use it and we have to suspended because of the named process in the thread, I can't give them a actual url to the fix because of your limit and i'm not going to register to your useless forum which god knows when will be hacked again.

I just give them alternatives which have actual care and time taken into and help them rebuild their VM from scratch with Vesta etc.

 

[Me.B]

@HalfEatenPie Got your point. Testing currently sandboxing ALL theme folder in lower permissions. 

And I've been thinking my self about sandboxing more stuff as in my own setup I don't run webmail on zpanel host, I will check it and might submit this to the team so we make some changes.

Adding preventive layers has never been bad idea's but you must notice this had been presented AS A FLAW! I could then flag a lot a flaw of this type in many products we use daily... Any way let's see where my own test would lead.

This doesn't mean Zpanel is unsecure man too! It's unsecure when you have a flaw that lead to a hack, we shipped Roundcube that had RCE grade flaw and no one talking about it, while if talk about risk management we should talk about risk evaluation and here roundcube flaw was a major threat while themes were minimal.

M B

 

[Me.B]

My clients unfortunately use it and we have to suspended become of the named process in the thread, I can't give them a actual url to the fix because of your limit and i'm not going to register to your useless forum which god knows when will be hacked again.

I just give them alternatives which have actual care and time taken into and help them rebuild their VM from scratch with Vesta etc.

 Forum was not directly hacked but they gained access over a user server first. Notice the zpanel team didn't build the forum as this totally hilarous! We were using VBulletin and now myBB as you will notice and no hacks.

Here I paste the statement and at least you could add to the list zpanel team are liars:

ZPanelCP Server has not been compromised!

After many allegations that our community forums / website have been compromised we can safely announce this is false information. 

So to clear this all up here is our official announcement:

1) The cause

Yesterday one of our support staff decided to use vulgar and aggressive language which greatly offended a community member. For this I personally and on behalf of the ZPanelCP Project would like to apologise. This member of staff will not be participating in the ZPanelCP team anymore.

2) What actually got hacked into

Later that day the ZPanel Module Directory (an application built by Tom Gates) was hacked into and the server it was hosted on was compromised. This is NOT the zpanelcp.com server : http://i.imgur.com/UAKE40Y.png

This was Tom Gate's server not a zpanelcp.com server (anyone can perform a traceroute or ping to confirm this).

3) Forum staff accounts abused

The passwords for this application were decrypted (only MD5 was used to store the passwords).

Two staff members (tgates and PS2Guy) had reused passwords allowing the hacker of the Module Directory application to instantly access the corresponding accounts on forums.zpanelcp.com.

4) Security issues raised

The security issues mentioned in the following article (http://imgur.com/a/lzRuo) are already fixed, however we are a short way off being able to release the new version. All known security vulnerabilities have been announced on here with fixes and guides. If anyone finds a security vulnerability in our software please report it on our public bug tracker for myself and the rest of the core development team to review. If we are able to reproduce the issue we will fix it, however please be aware we are very busy individuals and haven't got spare time to spend every week to fix them. This is an open source project and anyone can freely contribute to make it better / more secure.

5) Questions

If anyone has any questions regarding any of this please feel free to contact us on this forums.

Kind regards,

Bobby and the ZPanel Support Team

Bobby Allen

ZPanel Head Developer

 http://forums.zpanelcp.com/Thread-ZPanelCP-Server-has-not-been-compromised

Zpanel 10.0.2 got an LFI exploit targetted with a bot. Strange that many users are still running this release over a year old while we had since 2 releases and some hotfixes!

If you won't go to our forum. I've come here so post the list or PM me. I will be happy to see if we can fix more stuff. I never asked you to turn to our forum.

So.. Good luck if vesta works for your customers but if you could help us fix zpanel or report issues we don't see, so let's see. @

 

[HalfEatenPie]

My clients unfortunately use it and we have to suspended become of the named process in the thread, I can't give them a actual url to the fix because of your limit and i'm not going to register to your useless forum which god knows when will be hacked again.

I just give them alternatives which have actual care and time taken into and help them rebuild their VM from scratch with Vesta etc.

Just like this.

Unlike Joomla or Wordpress (by the way, we have kicked clients out due to their unsecure Joomla), ZPanel isn't widely accepted or used. An alternative is suggested (some hosts even prohibit software such as Kloxo and/or ZPanel) and (when time is available) we help them migrate away to different control panels.

@HalfEatenPie

Adding preventive layers has never been bad idea's but you must notice this had been presented AS A FLAW! I could then flag a lot a flaw of this type in many products we use daily... Any way let's see where my own test would lead.

Just because other software have the possibility for the flaw doesn't me your standards should accept it. And again you seem to be missing the point of my comments still.

I don't think you're getting my point.

My problem is with the Project Lead and his responses. People screw up. Solus has screwed up, WHMCS has screwed up, everyone screws up. The important part is the response that comes with it.

I'm not questioning the security of the bundle of softwares you utilize but the response your team gives to others.

This doesn't mean Zpanel is unsecure man too! It's unsecure when you have a flaw that lead to a hack, we shipped Roundcube that had RCE grade flaw and no one talking about it, while if talk about risk management we should talk about risk evaluation and here roundcube flaw was a major threat while themes were minimal.

I understand the point you're making (by the way, for clarification, part of the Risk Management assessment includes Risk Evaluation) with that statement and of course it's difficult to code something that's 100% fool-proof. I mean we all strive to prevent as much as we can but in the end some things we may have overseen might have slipped past us and got shipped. What I'm talking about is the response the team gives before the issues even start. You indirectly tell these people to patch it themselves and to submit it. You do realize a major portion of these individuals don't know how to code and (even worse) barely understand how to setup the panel (know the bare minimum about server hardening).

There's issues in all panels of course, but from my own (and many other individuals') evaluations we've come to recognize some of the alternatives to ZPanel to be far better than ZPanel itself.

 

[Me.B]

@HalfEatenPie You didn't read the announcement section neither saw zpanel news module SIR.

I don't say people must patch it them self. IT would be totally idiot. I said in emergency mode you could. I saw report over roundcube problem, so I patched it. May be by patch you expect an autoupdate? Currently the update script is improving.

Last 2 patches were submitted by the team one for pchart ( user reported in forum and we immediatly fixed it in github) and another in internal review over roundcube.

I submitted later a request to add robot.txt banning zpanel indexing as preventive measure, and working on how to ban zpanel from defaulting on server IP. Also submitted masking smtp banner signature and same over webserver and would try my best over many other direction. And this not only me other team members submitted other "preventive" patches...

IF it's not enough, ok. The problem you say zpanel is insecure? So I can say that this is not a flaw in Zpanel but the you think we work?