So I saw this earlier today:
http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/
and flipped through the forum thread on the zpanel site, but didn't
have time until now to deal with it. So first off: I saw all this
stuff and read it before it was removed from the site (actually the
entire site appears to be down now).
So long and short: you upload a template with the following code:
<& bogus ']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp");
echo $value['bogus &>
and the command gets executed as root. From googling it appears that
zPanel won't work with SELinux enabled, which makes sense (most web
applications fail to ship an SELinux policy, so if they need to do
strange things outside the default policy they generally tell you to
simply disable SELinux). So if you run zPanel it would be normal to
disable SELinux (to make zPanel work), so this root level access won't
be restricted.
This issue has been assigned CVE-2013-2097.
There is also a mention of a CSRF but I couldn't find any additional
information on it, if anyone knows about this please email
me/oss-security with details.