zPanel hacked after support team member insults forum user
The official web site for the web hosting interface zPanel is currently unavailable. The cause seems to be a hacker attack provoked by a member of the support team who swore at a user on the official forum.
On Wednesday, a forum member going by the name joepie91_ posted details of a vulnerability in zPanel that has been known about for some time, saying that the developer team has been refusing to fix it. He explained that specially prepared templates can be used to execute commands on the server with root privileges and called zPanel "the most insecure hosting panel with any significant userbase" that he had ever seen.
Forum participant PS2Guy, a member of the support team, was clearly not willing to let that accusation stand. In the very first sentence of his response, he called joepie91_ a "fucken little know it all", adding that all security problems in zPanel have been fixed and challenging the accuser to try to hack into any server with the current version 10.0.2 of zPanel.
He also pointed out that only administrators can upload templates, which one of the developers later confirmed; this would make the vulnerability much more difficult to exploit, since an attacker would first have to somehow get the administrator to install the specially prepared template.
The support team member's outburst seems to have had more serious consequences for the zPanel team than the vulnerability itself. PS2Guy's comments led to anger, especially in reddit's security community /r/netsec, and that anger led to an action that was hardly surprising: someone took his challenge to hack a zPanel server literally. But the target was not actually just "any" server, but zpanelcp.com – the open source project's own main server.
Screenshots posted on reddit show that some of the support team's forum accounts were hacked, but that was just the first step. One screenshot seems to show that someone even gained root access to the server, which would have allowed them to copy data. At the moment, a visit to the domain only brings up a test page for the Apache web server. The culprit and their method for compromising the server are still unknown.