Security Auditing of Alternative / Open Source Control Panels
« on: November 20, 2019, 03:39:09 PM »
After many requests, we have decided to perform a security audit of the most common (alternative) control panels:

CyberPanel
VestaCP
CentOS Web Panel
APNSCP

WiseCP
User/Webmin
ISPConfig
ClusterCS

The four at the top will be done first followed by the rest, just because those were the most requested. From start to finish, I would say it's probably going to take four weeks to complete all of the audits and give them a thorough once-over.

As usual with our testing, we're doing more of a practical test as if we were a malicious user attempting to gain elevated access. The source code will not be a main focus but it will be looked over to some extent. Given the size of this project, the time constraints and the fact that it is a free audit, we're aiming to find at least 90% of security flaws as opposed to 99% with our paid audits.

When everything is done, the developers will be notified and the control panels will be scored:

- How many root level security flaws were present.
- How many lower level security flaws were present.
- How long it took the developers to fix the security flaws.
- Would we recommend the panel or not after it's all said and done?

Once the developers have fixed everything, our audit reports will be made public minus any exploit code in the interest of transparency. Let me know if you guys have any questions or concerns!