Security audit

[MrRinkana]

Based on the recent very severe CVE I'd like to suggest focus is put towards getting a security audit by an external party, or at least a path towards getting one be laid out.

---

I know these can come with a cost that for many projects might be prohibitive, but compared to other open source projects Pterodactyl has commercial sponsors that might be interested in aiding in this, maybe even home users. Either way there is responsibility to be taken for the security of this server panel by both developers and commercial users. A security audit is a good way of putting money where the mouth is, or as the pterodactyl website puts it: security first.

I heard some such audit companies might offer lower prices for open-source projects but unfortunately these are to my knowledge individual per organisation and something you can ask about but not expect.

Benefits/why external audit:

Writing good functionality/well functioning code is unfortunately not the same as writing very secure code/finding security issues - they are different expertises and one strong benefit in a security audit: you get your code looked at by security experts which are specifically good at looking trough code for exploitable sections.

Another strong benefit in an external security audit is by having someone new to the code looking trough it they are not susceptible to making assumptions on what it does, as one is when the code is written by oneself and you know what it does from memory. This benefit should not be understated.

A good security audit gives reassurance that not some other bug or oversight is still hidden, and helps gain/regain trust and confidence in the statement of security first.

For a project that is not under heavy development, a security audit can last a decent while, but of course security is never a "one time done" thing.

[phoenixpanel]

Well. If you couldn't tell by the recent (last year or two) lack of updates. Pterodactyl is only getting security patches. Its not actually being worked on. There was talk in the donator chat a few months ago about where the sponsorship money is going and how can developers contribute towards Pterodactyl more. Unfortunately there was no clear reason for where the money that supporters are actively giving this project. Its had lack of feature updates for a long time now and is generally at a stand still. Except for delayed security patches. Which as you can see there is only security patches being applied to Pterodactyl and nothing else so you will easily be able to tell the amount of exploits this software has and it has no active developer.

So even suggesting that Pterodactyl pays for a 3rd party security audit will surely get a chuckle out of Mattew.

I wish I could give a solution to this problem but the problem lies with Matthew. Or alternatively look at another panel software maybe one with a dev team that actually cares.

[MrRinkana]

That is more cynical than i think it needs to be. Pterodactyl is a rather feature complete project so its not too surprising it is mostly maintenance. But that's exactly why getting a security audit is such a good idea, as slower moving codebase is less likely to introduce new security issues after the audit - getting more from the money!

But your comment is another reason an audit is a good idea, I suspect you would have your trust restored somewhat if the project was audited (and of course any issues fixed, the report published) by some reputable researchers, right?

[Admin9961]

Don't disclose too much details in public becouse this is a gaming server application lol, in other words script kiddies will "rape" it if they will understand. I achieved a decent grasp about the vulnerability and I crafted a PoC for studying, but I don't think it's safe to share.

[Zagreus9723]

@Admin9961 The exact exploit string/url is available online, also there was already a patch released that most (all?) major providers have uploaded.

[MrRinkana]

There are no details about the exploit here nor is it about it either - it's a suggestion that a security audit should be of high priority.

I appreciate the engagement but lets keep on topic 👍

[Admin9961]

@Admin9961 The exact exploit string/url is available online, also there was already a patch released that most (all?) major providers have uploaded.

It's worth noting that if an attacker can use the vulnerability to write a .php file to an arbitrary location, reverse shell become possible, by including in the 'namespace' parameter a .php file containing a reverse shell (tested with PHP8.2-FPM on Debian). That means one can use the stolen credentials to gain Administrative access, then find a way to upload .php shell, then including it. Always educational purpose only on an isolated environment.