Security Analysis of Alternative Control Panels

Earlier this year, cPanel announced that they were moving forward with a new pricing scheme that resulted in a mass panic of hosting providers seeking alternative control panels. When we think about alternatives to cPanel, there are only a handful of control panels that come to mind:

* It’s worth noting that Oakley Capital owns both Plesk and cPanel, making DirectAdmin and InterWorx the only true alternatives if hosting companies are concerned about further price increases or merging of panels at a later date.

RACK911 Labs has done official security auditing of DirectAdmin and InterWorx. However, we have also heavily audited Plesk via their bug bounty program and would consider the three panels referenced above to have excellent security. (For what it’s worth, we also consider cPanel to have excellent security mostly in part to their bug bounty program and large development team.)

What about the other alternative control panels?

We were familiar with most of the control panels listed above but not for the right reasons. Some of the control panels, such as CentOS Web Panel and VestaCP have extremely poor reputations when it comes to security. Other panels such as Virtualmin and CyberPanel, we previously audited in a limited capacity but knew some security flaws still remained but this would be the first time we have performed a full audit of each control panel.

Testing Methodology 

When we perform a security audit, the very first thing we do is map out every single feature into a detailed checklist. The checklist is basically the game plan for our audit and it’s also used as a reference to show the developer(s) what was tested to ensure that nothing is overlooked. Once every feature is mapped out, we then make a determination as to what types of security vulnerabilities could apply. Some of the security vulnerabilities that we test for include:

– SQL Injection
– Arbitrary Command Execution
– Symlink / Race Conditions
– Insecure Permissions & Processes
– Directory Traversals
– Username Takeovers
– CSRF
– XSS

It’s our opinion that testing for the above security vulnerabilities would account for at least 90% of anything found. Given the size and scope of the project, we could not realistically look for everything and when we sent off our Audit Reports, the developers were made aware that it was a once-over and some security vulnerabilities likely remain.

Most Popular Security Vulnerabilities

Input Validation (IDOR)
Symlink / Race Condition
Command Execution
Insecure Permissions
Insecure Processes
XSS
CSRF
Directory Traversals
Cookie Reuse
Username Takeover

The most common security vulnerability is your basic Input Validation Failure (IDOR) which means that a malicious user was able to modify content that is not intended for them. We weren’t surprised that this was the #1 vulnerability as most software we audit has some IDOR failures.

In a close second, Symlink / Race Conditions which are often the result of insecure file writes under user accessible directories which lead to privilege escalation vulnerabilities. Some of the control panels had protection against race conditions, but in the end, they were no match for our experience and we were still able to obtain root privileges.

Then we have the dreaded (Arbitrary) Command Execution vulnerabilities which are easily the most dangerous! A malicious user can often times run commands as the root user, most of which are not logged making it hard to determine the point of entry.

Security Recommendations

Input Validation (IDOR)

All input must be validated to ensure that the logged in user can only manipulate data that belongs to them. While that seems straight forward enough, it’s clear as day that developers are not implementing proper ACL controls nor are they testing for this sort of behavior. IDOR flaws are the easiest to test as most can be done within the web browser!

(Arbitrary) Command Execution

Almost all command execution vulnerabilities are the result of special characters being accepted in user input and passed directly to a shell command without any form of sanitization. When we talk about special characters we mean $ () ; ` ‘ < > | & accompanied by a command used to explore further or escalate privileges. Any time user data is sent to a shell command, data must be escaped along with a reduction of privileges when possible.

Symlink / Race Condition

Stop performing root level file operations under user accessible directories. The amount of security flaws we find under user home directories or tmp directories because a lazy developer couldn’t be bothered to drop privileges or stay out of those directories is unbelievable. Any time you perform root file operations where a user can also perform file operations, the risk of symlink and race conditions will always be extremely high!

ISPConfig (3 Vulnerabilities)

One of the more popular alternative control panels, with a reported 40,000 downloads per month, ISPConfig held its ground when it came to security vulnerabilities. The developers took 12 days to issue security patches which we think is more than acceptable.

CentOS Web Panel (22 Vulnerabilities)

We looked at this panel years ago and sent off a handful of flaws back then. Little has been done to improve security and we ended up finding another 22 flaws. The developer has been terrible at communicating and we have no ETA on patches yet.

  • Symlink / Race Condition
  • CSRF
  • Insecure Processes
  • Input Validation (IDOR)
  • Symlink / Race Condition
  • Command Execution
  • Insecure Processes
  • Insecure Permissions
  • XSS
  • Username Takeover

Virtualmin (15 Vulnerabilities)

Virtualmin was a larger audit for us given the amount of features involved. Not surprisingly, we found many security flaws with most being high priority in nature. The developer was quick to respond but we’re still waiting on patches.

CyberPanel (39 Vulnerabilities)

We had high hopes for CyberPanel but unfortunately it turned out to be one of the worst control panels that we have audited. The only positive is how quick the developers were to issue patches and communicate with us.

  • Input Validation (IDOR)
  • Symlink / Race Condition
  • Command Execution
  • Insecure Permissions
  • Directory Traversals
  • Input Validation (IDOR)
  • Symlink / Race Condition
  • Command Execution
  • Insecure Permissions
  • CSRF
  • Insecure Processes
  • Cookie Reuse
  • Outdated Software

VestaCP (3 Vulnerabilities)

Another popular control panel, VestaCP fared pretty well against our security audit with only 3 flaws discovered. The developer indicated that patches were in the works, but there has been no communication since despite repeated attempts.

APNSCP (7 Vulnerabilities)

We knew basically nothing about this control panel called APNSCP, but to our surprise it also did fairly well against our security audit with only 5 flaws discovered. The developer was one of the best that we interacted with and only took 5 days to resolve everything.

  • Input Validation (IDOR)
  • Symlink / Race Condition
  • Input Validation (IDOR)
  • Symlink / Race Condition

Closing Thoughts

In total we found almost 90 security vulnerabilities with plenty of root level flaws that would have been easy to exploit. While that may sound like a lot, it’s important to remember that most if not all of these control panels have never had a full security audit by a reputable firm.

RACK911 Labs has focused on the big control panels for many years, easily finding hundreds of security flaws within those products. Some companies such as cPanel and Plesk have active bug bounty programs with new security flaws being found every month by skilled security researchers.

The alternative control panels mentioned above, they don’t have the resources that huge million dollar companies have; They can’t afford to hire us nor can they afford to do a bug bounty program or have a dedicated security team. There is little incentive for security researchers to focus on auditing their products especially lesser known control panels that don’t have a sizable user base.

For us personally, we would stick with DirectAdmin, Plesk or InterWorx just because we know firsthand not only how good the security is, but also how effective the developers are at fixing flaws.

With that said, if we had to pick from the 6 alternative control panels above it would be ISPConfig, Virtualmin & APNSCP. We would strongly recommend users avoid CentOS Web Panel and VestaCP. The developers are terrible at communicating and it’s our opinion that their programming experience has no security mindset in place which would likely lead to further security vulnerabilities in the future.

As for CyberPanel, while they did have the highest amount of security vulnerabilities found, they also patched everything in a timely manner and their communication was decent. The developers do seem keen on improving their product and while we’re not ready to recommend them just yet, we also don’t think they deserve to be avoided. It’s safe to assume we will revisit CyberPanel in the future for another audit to see where things stand.