CyberPanel v2.3.5 and Security Release Announcement

Hello everyone,

I hope this message finds you well. We are reaching out to inform you about the recent release of CyberPanel version v2.3.5, which includes major bug fixes and important security enhancements.

New Features

• Onboarding/Setup Wizard
• Docker Apps
• Mautic Version 5 and PHP 8 Support
• Add Rustic Support for ARM
• Updated MariaDB Version (to v10.110
• Database Manager
• Upgrade CyberPanel via UI

Bug Fixes

• ssl improvement
• bug fix: snappymail default to port 993
• bug fix: set correct soa expire value
• bug fix: menu items
• add improvments for ssl
• bug fix: for imunify install ref: https://app.clickup.com/t/86engx249
• https://github.com/usmannasir/cyberpanel/issues/1189
• bug fix in dmarc ref: #1191 (comment)
• bug fix only show main domains in dns list: ref #1190
• bug fix: create mail domain while backup restore
• bug fix: avoid creation of duplicate dns records #1190
• bug fix: dkim generation
• bug fix: elimite login via url parameters
• bug fix: fix opendkim port on email settings reset; ref: https://app.clickup.com/t/86enggytc
• bug fix: dns config reset
• ftp reset configs
• bug fix to weekly scheduled backups ref #1170
• bug fix in csf, ref https://app.clickup.com/t/86enewufa
• bug fix: keep default php-fpm config
• bug fix rspamd + dkim #1176
• bug fix: email debugger
• bug fix: do not initiate site backup if space is full
• pssobile bug in wp installer
• Update filemanager.py to fix filesize issues
• add min,max to TTL input field in addDeleteDNSRecords
• bug fix in upgrade function
• bug fix: dkim permissions
• bug fix in password generation
• bug fix cPanel importer internal ticket: https://app.clickup.com/t/865d12g34
• finalize pre_main_global https://app.clickup.com/t/866atra07
• resolve internal ticket to show php on list site https://app.clickup.com/t/866atrc44
• add proper php path to get old site wp version
• remote backup error reporting fixed
• backup v2 delete repo page
• bug fix: wp auto login
• bug fix: ftp for ubuntu 20
• bug fix: fetch snapshots for rustic on brand new server
• add headers module for apache

Security Problems

Before delving into the details, it’s essential to emphasize that CyberPanel is an open-source platform, subject to continuous scrutiny by security researchers. We have undergone a comprehensive audit conducted by Rack911, with whom we collaborated for over a year to address various security concerns. The findings from this audit, coupled with ongoing research by Altion, have resulted in the robust security measures implemented in version v2.3.5.

Here is an overview of the security issues identified and addressed in this release:

1. WebTerminal Authentication Bypass: An issue related to WebTerminal Authentication Bypass, present between versions 1.9.2 and 2.1.1, has been thoroughly addressed. To further enhance security, we have removed this feature entirely from version 2.1.1 onward.
2. Authentication Bypass and Local File Inclusion (LFI) in CloudAPI: A security concern related to the CloudAPI function has been resolved. It’s important to note that API access must be explicitly opened for external access, and by default, it is disabled.
3. Authentication Bypass in File Manager’s Upload Functionality: A vulnerability in the File Manager upload functionality, caused by a human error, has been rectified in version 2.3.5.
4. Security Middleware Bypass and Bypass of Security Controls in commandInjectionCheck(): Two security concerns related to the Security Middleware have been addressed. Thorough security checks have been implemented, covering most command injection scenarios. Additionally, adjustments have been made to functions that bypass checks when run by root or triggered externally, such as Git webhooks.
5. Insecure Generation and Storage of API Tokens: The generation and storage of API tokens have been strengthened to ensure a more secure process.
6. Broken Authentication and Local File Inclusion (LFI) in ‘/api/FetchRemoteTransferStatus’ endpoint: An issue related to the ‘FetchRemoteTransferStatus’ endpoint has been fixed. While the endpoint had proper authentication in place, a specific command was running before authentication completion. This has been rectified in version 2.3.5.

We want to reassure you that the security concerns identified were thoroughly assessed, and the necessary measures have been taken to fortify CyberPanel’s security. Your continuous support and trust are paramount, and we encourage all users to upgrade to version 2.3.5 promptly to benefit from these enhancements.

Thank you for your understanding and ongoing collaboration.