zPanel vulnerability permits root access to server
A security vulnerability which can be exploited by an attacker to obtain root access to the server has been discovered in zPanel. The security vulnerability lurks in the ZPX HTPASSWD module. The zPanel development team is working on a patch and a hotfix which can be applied manually is circulating on forums.
The module's failure to adequately check user input means that an authenticated attacker can inject arbitrary shell commands into the server. Head developer Bobby Allen has explicitly advised zPanel users to disable the vulnerable module.
The open source, GPLv3-licensed zPanel project last hit the headlines when a support worker's insulting attitude towards a forum user provoked other users to take revenge by hacking the main zPanel server.
(fab)