Latest Security Analysis of Web Control Panels by Rack911

Security Analysis of Alternative Control Panels

I am not surprised by the results. So those looking for free alternative to paid control panels, keep in mind that they can pose some threats also.

Simplified Article

Earlier this year, cPanel announced that they were moving forward with a new pricing scheme that resulted in a
mass panic of hosting providers seeking alternative control panels. When we think about alternatives to cPanel, there are only a handful of control panels that come to mind:

*It’s worth noting that Oakley Capital owns both Plesk and cPanel, making DirectAdmin and InterWorx the only true alternatives if hosting companies are concerned about further price increases or merging of panels at a later date.

RACK911 Labs has done official security auditing of DirectAdmin and InterWorx. However, we have also heavily audited Plesk via their bug bounty program and would consider the three panels referenced above to have excellent security. (For what it’s worth, we also consider cPanel to have excellent security mostly in part to their bug bounty program and large development team.)

What about the other alternative control panels?

We were familiar with most of the control panels listed above but not for the right reasons. Some of the control panels, such as CentOS Web Panel and VestaCP have extremely poor reputations when it comes to security. Other panels such as Virtualmin and CyberPanel, we previously audited in a limited capacity but knew some security flaws still remained but this would be the first time we have performed a full audit of each control panel.

Testing Methodology

When we perform a security audit, the very first thing we do is map out every single feature into a detailed checklist. The checklist is basically the game plan for our audit and it’s also used as a reference to show the developer(s) what was tested to ensure that nothing is overlooked. Once every feature is mapped out, we then make a determination as to what types of security vulnerabilities could apply. Some of the security vulnerabilities that we test for include:

– SQL Injection
– Arbitrary Command Execution
– Symlink / Race Conditions
– Insecure Permissions & Processes
– Directory Traversals
– Username Takeovers
– CSRF
– XSS

It’s our opinion that testing for the above security vulnerabilities would account for at least 90% of anything found. Given the size and scope of the project, we could not realistically look for everything and when we sent off our Audit Reports, the developers were made aware that it was a once-over and some security vulnerabilities likely remain.

The most common security vulnerability is your basic Input Validation Failure (IDOR) which means that a malicious user was able to modify content that is not intended for them. We weren’t surprised that this was the #1 vulnerability as most software we audit has some IDOR failures.

In a close second, Symlink / Race Conditions which are often the result of insecure file writes under user accessible directories which lead to privilege escalation vulnerabilities. Some of the control panels had protection against race conditions, but in the end, they were no match for our experience and we were still able to obtain root privileges.

Then we have the dreaded (Arbitrary) Command Execution vulnerabilities which are easily the most dangerous! A malicious user can often times run commands as the root user, most of which are not logged making it hard to determine the point of entry.

Security Recommendations

Input Validation (IDOR)

All input must be validated to ensure that the logged in user can only manipulate data that belongs to them. While that seems straight forward enough, it’s clear as day that developers are not implementing proper ACL controls nor are they testing for this sort of behavior. IDOR flaws are the easiest to test as most can be done within the web browser!

(Arbitrary) Command Execution

Almost all command execution vulnerabilities are the result of special characters being accepted in user input and passed directly to a shell command without any form of sanitization. When we talk about special characters we mean $ () ; ` ‘ < > | & accompanied by a command used to explore further or escalate privileges. Any time user data is sent to a shell command, data must be escaped along with a reduction of privileges when possible.

Symlink / Race Condition

Stop performing root level file operations under user accessible directories. The amount of security flaws we find under user home directories or tmp directories because a lazy developer couldn’t be bothered to drop privileges or stay out of those directories is unbelievable. Any time you perform root file operations where a user can also perform file operations, the risk of symlink and race conditions will always be extremely high!

ISPConfig (3 Vulnerabilities)

One of the more popular alternative control panels, with a reported 40,000 downloads per month, ISPConfig held its ground when it came to security vulnerabilities. The developers took 12 days to issue security patches which we think is more than acceptable.

CentOS Web Panel (22 Vulnerabilities)

We looked at this panel years ago and sent off a handful of flaws back then. Little has been done to improve security and we ended up finding another 22 flaws. The developer has been terrible at communicating and we have no ETA on patches yet.

Virtualmin (15 Vulnerabilities)

Virtualmin was a larger audit for us given the amount of features involved. Not surprisingly, we found many security flaws with most being high priority in nature. The developer was quick to respond but we’re still waiting on patches.

CyberPanel (39 Vulnerabilities)

We had high hopes for CyberPanel but unfortunately it turned out to be one of the worst control panels that we have audited. The only positive is how quick the developers were to issue patches and communicate with us.

VestaCP (3 Vulnerabilities)

Another popular control panel, VestaCP fared pretty well against our security audit with only 3 flaws discovered. The developer indicated that patches were in the works, but there has been no communication since despite repeated attempts.

APNSCP (7 Vulnerabilities)

We knew basically nothing about this control panel called APNSCP, but to our surprise it also did fairly well against our security audit with only 5 flaws discovered. The developer was one of the best that we interacted with and only took 5 days to resolve everything.

Closing Thoughts

In total we found almost 90 security vulnerabilities with plenty of root level flaws that would have been easy to exploit. While that may sound like a lot, it’s important to remember that most if not all of these control panels have never had a full security audit by a reputable firm.

RACK911 Labs has focused on the big control panels for many years, easily finding hundreds of security flaws within those products. Some companies such as cPanel and Plesk have active bug bounty programs with new security flaws being found every month by skilled security researchers.

The alternative control panels mentioned above, they don’t have the resources that huge million dollar companies have; They can’t afford to hire us nor can they afford to do a bug bounty program or have a dedicated security team. There is little incentive for security researchers to focus on auditing their products especially lesser known control panels that don’t have a sizable user base.

For us personally, we would stick with DirectAdmin, Plesk or InterWorx just because we know firsthand not only how good the security is, but also how effective the developers are at fixing flaws.

With that said, if we had to pick from the 6 alternative control panels above it would be ISPConfig, Virtualmin & APNSCP. We would strongly recommend users avoid CentOS Web Panel and VestaCP. The developers are terrible at communicating and it’s our opinion that their programming experience has no security mindset in place which would likely lead to further security vulnerabilities in the future.

As for CyberPanel, while they did have the highest amount of security vulnerabilities found, they also patched everything in a timely manner and their communication was decent. The developers do seem keen on improving their product and while we’re not ready to recommend them just yet, we also don’t think they deserve to be avoided. It’s safe to assume we will revisit CyberPanel in the future for another audit to see where things stand.

11 Likes

Welcome aboard!

ISPConfig seems to be pretty decent, still.

4 Likes

Damn… CyberPanel got destroyed… Ouch

Still perfectly fine if you plan to use it yourself I guess and not share access with anyone…

I’m not surprised one bit by this.

I found an issue months ago, and I doubt it was ever fixed.

Thanks and welcome @Shoaib_A!
I am a bit disappointed of the results for Virtualmin. It is my go-to solution whenever I need a free panel for a server. I use a lifetime DA license for the “more important” stuff, but Virtualmin for everything else.

However, those are, as Rack911 say, only the results of their first tests.
Looking forward to the in-depth results…

Has anyone tried apnscp yet? How does it “feel”?

2 Likes

Glad to see ISPConfig faring so well :slight_smile: Will continue using it for private projects along with HestiaCP. Kinda sad that Keyhelp wasn’t included.

3 Likes

:wink:

1 Like

This just proves that the end is nigh.

The install was problematic in my experience, though your mileage may vary. In my instance, The install seemed to stall, and the documentation varies throughout the various different sources that APNSCP provides. A simple reboot and bootstrap command resolved my problem, but the install instructions also don’t explicitly mention that you need to have a valid FQDN specified before running the install, so that was a bit annoying.

Aside from these minor frustrations, the panel itself seems to be great! The interface feels a little bit clunky and arguably non-intuitive, but damn is it seemingly robust. I’m actually planning on building a new frontend to proxy command requests on the backend. If you’re able to grab a free license from LET, I would definitely recommend doing so.

2 Likes

Was this before 3.1, released a few days ago? 3.1 fixes quite a number of durability issues in install and moving forward with prebuilt images on DO’s Marketplace as soon as I get the OK from their team.

A hostname isn’t necessary for install, but is necessary for the panel to authorize itself for Let’s Encrypt SSL. cpcmd scope:set net.hostname would allow you to set a hostname after install, so not a big deal either way. All docs have been moved to docs/ in 3.1 with a reboot on docs.apnscp.com coming soonish.

Drop me an email at [email protected] or send me a PM via here if you ever run into any issues :wave:

2 Likes

Nope, this was after 3.1 :stuck_out_tongue: I started the install, then checked in on the log via the provided command every 5 minutes. I went to do something else for a couple of hours, came back and to my surprise it hadn’t finished. After inspecting the log, something was repeating. I’ll see if the log is still there, and if so I’ll email it across to you :slight_smile:

Apologies, I should’ve clarified. Right, but the install instructions should mention this at the beginning rather than towards the end. It just makes life a little bit simpler for people :slight_smile:

Aside from those minor frustrations, everything has been smooth sailing :sunglasses:

1 Like

I’ll add some clarification going forward on that note.


Sounds like from the install behavior you deployed v3.1.1 or v3.1.2, which had some HOME=/permission issues on install. Everything is squared away in v3.1.3. :thumbsup:

Edge builds, which’ll be part of v3.1.4 sometime next week, have broken down the master layout as well as DNS templates, which’ll make it much easier to customize going forward. You can drop a Blade template named after the theme in config/custom/resources/views/ to override the master layout. Metrics logging will be here by the end of the month as well.

2 Likes

Will you marry me?

Seriously though, that sounds fantastic. Thanks for a breath of fresh air in this market :smiley: Other panels are great, but none quite fit what I’ve been looking for for so long like yours.

2 Likes

Only if there’s tax benefits involved…

2 Likes

Congrats. A wolf and a rocket, what a nice couple.

2 Likes

That’s bigamy !

Everybody knows you’re already married to Faya Fox

I’m disappointed you missed the standard red rocket joke.

2 Likes

I’m installing today. The only issue so far was curl was returning a 404 from somewhere in the install script for the licence check. I removed the licence from the command and it’s installing now, so I presume I can input it somewhere after.

I didn’t have any Centos servers to re-installed one with 8, only to find 8 isn’t supported yet lol.

1 Like

image

:joy:

2 Likes

Humanity in a nutshell.

2 Likes