[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?utf-8?q?SSD_Advisory_=E2=80=93_Sentora_/_ZPanel_Password_R?= =?utf-8?q?eset_Vulnerability?=
From: Maor Shwartz <maors () beyondsecurity ! com>
Date: 2017-09-24 8:08:44
Message-ID: CAAnZqX-PGsWJSy7ezq_GMbpTrTJMjHte9UmXJgokw+exXmdHPw () mail ! gmail ! com
[Download RAW message or body]
SSD Advisory – Sentora / ZPanel Password Reset Vulnerability
Full report: https://blogs.securiteam.com/index.php/archives/3386
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD
Vulnerability Summary
The following advisory describes a password reset found in Sentora / ZPanel.
Sentora is "a free to download and use web hosting control panel developed
for Linux, UNIX and BSD based servers or computers. The Sentora software
can turn a domestic or commercial server into a fully fledged, easy to use
and manage web hosting server".
ZPanel is a free to download and use Web hosting control panel written to
work effortlessly with Microsoft Windows and POSIX (Linux, UNIX and MacOSX)
based servers or computers. This solution can turn a home or professional
server into a fully fledged, easy to use and manage web hosting server.
Credit
An independent security researcher has reported this vulnerability to
Beyond Security's SecuriTeam Secure Disclosure program.
Vendor response
Hostwinds was informed of the vulnerability, to which they response with
"Zpanel is owned by Hostwinds but is no longer in production and has not
been supported for some time now. We only keep it active as a legacy
control panel and strongly discourage clients from using it. If you would
like to continue to use it that is agreeable, but we are not able to offer
any kind of support for it other than installing a different control panel
over it."
Sentora was informed of the vulnerability on July 16 2017, while
acknowledging the receipt of the vulnerability information, they failed to
respond to the technical claims, provide a fix timeline or coordinate an
advisory with us.
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514
["=?UTF-8?Q?SSD_Advisory_=E2=80=93_Sentora_=5F_ZPanel_Password_Reset_Vulnerabi?=
=?UTF-8?Q?lity_=E2=80=93_SecuriTeam_Blogs=2Epdf?=" (application/pdf)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic