The very idea of a web-based control panel for a Linux server is a recipe for disaster, because it means giving root access to a web-accessible program. Remember why you're never supposed to run Apache as root? Or why you should never give PHP scripts permission to write to any location outside of the upload folder? Root and web-access don't mix, period. In the VPS business it's a kind of necessary evil, but that's all the more reason to check if the survival of your business depends on a bunch of unsanitized SQL queries.<p>Back in 2009, before SolusVM came along, the most popular control panel for low-end VPS hosts was called HyperVM. One day in the summer of that year, HyperVM got hacked, or more accurately, a combination of slow updates and weak passwords caused major data loss at a popular low-end VPS host. The next day, the developer of HyperVM, an Indian man, committed suicide. There was a lot of publicity surrounding the incident, and many low-end VPS hosts went looking for a less infamous control panel.<p>Then came SolusVM. I can't remember exactly how it came to be the primary replacement for HyperVM, but almost overnight everyone adopted SolusVM. I'm actually surprised that it lasted nearly 4 years without a major security incident like this. The low-end VPS market is so crowded with assholes and 14-year-olds looking for a quick buck, the so-called companies exchange DDoS attacks every other day. Now that the easiest route into another company's servers has been published, expect them to start hacking one another into oblivion.<p>Meanwhile, I'm already starting to wonder what kind of flying PHP-spaghetti-code monster whose name is /^[A-Za-z]{5}VM$/ will come to replace SolusVM for the next 4 years or so. It probably won't be much more secure, since most of the kids have budgets that are too tight to buy proper software. Developers who know how to use prepared statements cost money. Auditing a complex piece of web app costs even more money.<p>Writing control panels is hard. Remember, even Linode sometimes gets it wrong. If you trust your root account and therefore the fate of your business with a bundle of obfuscated code that may or may not have been audited by any competent security researcher, it's only a matter of time before something like this happens to you.
Ramnode was hacked as a result: <a href="https://news.ycombinator.com/item?id=5888309" rel="nofollow">https://news.ycombinator.com/item?id=5888309</a>
Oh man - failure to use a framework or they worked around it - either way this was a big programming no no - direct use of SQL with NO sanitizing. Very bad.<p>I can't even call this a vulnerability - it's an open door.
This is not surprising at all. In their client API for checking server status, they can't even report memory usage correctly.<p>It's been a bug in their API for a very long time, with multiple requests for a fix. I made a new request for a fix about 2 months ago and they're still "working on it". Not difficult to look at the correct line in /proc/meminfo.