SSD Advisory – Sentora / ZPanel Password Reset Vulnerability Full report: https://blogs.securiteam.com/index.php/archives/3386 Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD Vulnerability Summary The following advisory describes a password reset found in Sentora / ZPanel. Sentora is “a free to download and use web hosting control panel developed for Linux, UNIX and BSD based servers or computers. The Sentora software can turn a domestic or commercial server into a fully fledged, easy to use and manage web hosting server”. ZPanel is a free to download and use Web hosting control panel written to work effortlessly with Microsoft Windows and POSIX (Linux, UNIX and MacOSX) based servers or computers. This solution can turn a home or professional server into a fully fledged, easy to use and manage web hosting server. Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor response Hostwinds was informed of the vulnerability, to which they response with “Zpanel is owned by Hostwinds but is no longer in production and has not been supported for some time now. We only keep it active as a legacy control panel and strongly discourage clients from using it. If you would like to continue to use it that is agreeable, but we are not able to offer any kind of support for it other than installing a different control panel over it.” Sentora was informed of the vulnerability on July 16 2017, while acknowledging the receipt of the vulnerability information, they failed to respond to the technical claims, provide a fix timeline or coordinate an advisory with us. -- Thanks Maor Shwartz Beyond Security GPG Key ID: 93CC36E2DE7FF514
Attachment:
SSD Advisory – Sentora _ ZPanel Password Reset Vulnerability – SecuriTeam Blogs.pdf
Description: Adobe PDF document
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/