lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 24 Sep 2017 11:08:44 +0300
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Sentora / ZPanel Password Reset Vulnerability

SSD Advisory – Sentora / ZPanel Password Reset Vulnerability

Full report: https://blogs.securiteam.com/index.php/archives/3386
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerability Summary
The following advisory describes a password reset found in Sentora / ZPanel.

Sentora is “a free to download and use web hosting control panel developed
for Linux, UNIX and BSD based servers or computers. The Sentora software
can turn a domestic or commercial server into a fully fledged, easy to use
and manage web hosting server”.

ZPanel is a free to download and use Web hosting control panel written to
work effortlessly with Microsoft Windows and POSIX (Linux, UNIX and MacOSX)
based servers or computers. This solution can turn a home or professional
server into a fully fledged, easy to use and manage web hosting server.

Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Hostwinds was informed of the vulnerability, to which they response with
“Zpanel is owned by Hostwinds but is no longer in production and has not
been supported for some time now. We only keep it active as a legacy
control panel and strongly discourage clients from using it. If you would
like to continue to use it that is agreeable, but we are not able to offer
any kind of support for it other than installing a different control panel
over it.”

Sentora was informed of the vulnerability on July 16 2017, while
acknowledging the receipt of the vulnerability information, they failed to
respond to the technical claims, provide a fix timeline or coordinate an
advisory with us.

--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Download attachment "SSD Advisory – Sentora _ ZPanel Password Reset Vulnerability – SecuriTeam Blogs.pdf" of type "application/pdf" (117933 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists