We use cookies to improve our services and provide a better experience. By continuing to use this site, you agree with our Cookies Policy.

Is zPanel a Good Open Source Alternative?

hashtag_big [6]
October 7, 2014
| Articles

Open source control panels versus commercial control panels. If you ever managed a co-located server, dedicated server or virtual private server somewhere, you probably have dealt with this question. You most likely have seen zPanel while browsing for options. Naturally your concerns were with security and functionality. But is zPanel a good alternative compared to the commercial solutions out there?


zPanel (can be pronounced as Zee’Panel. A bit like a German with a thick accent stating “The Panel”. Programmers humor, what can I say), is a 100% POSIX and Windows Server compatible control panel for managing servers and services running on servers.


POSIX compliant means that it will run on any *nix flavor, being various distributions of Linux, but also OSX and Unix servers alike. This makes zPanel a very versatile choice and allows a hosting provider to have the same control panel for all clients on every kind of server they offer. Find out more here.


Whether you are a starter hosting company, a reseller host or an interested party – this post is meant to introduce the main zPanel features and vulnerabilities.


Why Use a Control Panel?


The answer is very simple: convenience and user experience.


It goes without saying that every good system administrator can manage a server just with the command line. But let’s face it: your clients might not, and most likely will not, be able to do that.


This would result in your clients having to contact you for every little thing, such as setting up a new domain they just registered, or creating a new email address for their new colleague. It would save a lot of time both for you and for your clients if clients could do this themselves. That could be done by using a website that exposes the necessary functionality to the client. And it would be great if they can do all that without the risk of them messing up the system, or having to have access to parts of the system you don’t want them to have access to.


This is exactly what a control panel allows you to do: provide your clients with the ability to make changes in the system they are renting from you in a safe and controlled way. This saves you time and money. It prevents you from being called in the middle of the night by that client that keeps forgetting that he is in a completely different timezone to add a new domain to his account. And you won’t need to fix a mess up of a client.


The Appeal of zPanel


zPanel has a lot to offer and is very extensible. It is a very mature open source project. It is fairly easy to write extensions and plugins for it. That allows someone with some programming knowledge to customize the system to his or her needs. ZPanel is easy to install and not much knowledge is needed to operate zPanel. Next to that, this control panel is user friendly and also very well documented. And because it is a mature project, it is also quite reliable and it might just be what a start-up hosting provider needs to offer it’s clients: a good versatile, reliable and complete control panel without the recurring costs, like for example with cPanel or DirectAdmin. For large scale hosting providers, offering zPanel can be a good option as clients might already be used to it and trust it. Or it allows the hosting provider to offer a good variety when it comes to options. It also makes it possible to offer a server for less than they could in combination with DirectAdmin or cPanel.


The open source character of zPanel and it’s extensive documentation make the system very accessible for people that are familiar with programming. Therefore it allows for a lot of customization to be done by the hosting provider themselves. Larger hosting providers with a few people in the development department might be charmed with the open character of ZPanel.


Another reason for choosing zPanel is probably it’s community. Let’s assume that you find some functionality lacking or not available. Then it is possible to discuss this with the community of the open source project. Chances are very good that other users also encountered this problem and already have a ‘plug and play’ solution at hand which you can use. Or perhaps the request is new but makes so much sense that it will actually be built into the project.


Another good thing about zPanel is that because of it’s open source character, security is pretty good, or at least not worse than other commercial products.


Should You Use It?


It’s hard to think of significant reasons why you shouldn’t choose zPanel, but I will try anyway.


For one, zPanel simply isn’t a commercial product. Sure, they actually have a support department and you may get rather decent support, but the whole idea of having a free control panel on your servers which you are offering for your clients might seem ‘cheapskate’. This is probably not what you want to go for.


Both DirectAdmin and cPanel are commercial products that have been around for quite a while, and have gained a certain status and a reputation over the years. You might miss out on clients who opt for DirectAdmin or cPanel for whatever reason they have.


Another reason for not using zPanel is possible (or should I say probable?) security risks. Now it’s not said that cPanel and DirectAdmin are 100% safe or rather safer than zPanel. E. g. recent events show that cPanel can also be vulnerable, as their tech support department got hacked, exploited and totally messed up, which resulted in the possibility of root passwords of clients being out in the open. For more information just google, or check here.


The risk with zPanel is that there are a lot of people working on it from all over the world. Someone at some point might (unknowingly) introduce a flaw which causes the system to be wide open for people with ill intent. Then again, as stated, that might happen with cPanel and DirectAdmin as well. The risk is always there, but while using a paid product you may be more certain that these things are constantly checked and taken care of before they happen.


Another risk that zPanel introduces are third party plugins and extensions, or perhaps plugins and extensions a hosting provider might write themselves. DirectAdmin and cPanel are making a good effort to be ‘complete’ on their own and do not so much rely on third parties to extend their functionality if necessary, thus minimizing that risk.


Finally, from a tech point of view, cPanel and DirectAdmin are very complete on their own, and the chances are good that all the functionality you might ever need, is already available on one of these systems. Then again, the same applies to zPanel which has been around for quite some time and can be considered pretty mature.


Exposing the Cracks: zPanel Security Issues


As discussed, essentially all products, commercial or non-commercial, closed source or open source, they all have security issues. zPanel is no different. However, it has quite a history considering security flaws that deter people from taking a chance with zPanel.


A recent example of the risks in zPanel is the pChart vulnerability, and can be seen here and here.


To tell the truth, the pChart version 2.1.3 has multiple critical vulnerabilities, and unfortunately is a commonly used component in zPanel. However, pChart is not a part of zPanel and is not developed by the zPanel team, but that is no excuse, is it?


The first vulnerability in this version is the so called Directory Traversal exploit. This involves an examples folder with which the module can be ‘persuaded’ to show files from the servers file system by constructing a peculiar URL. This is a very bad situation because the actual contents of the /etc/passwd file, which is the main password database in which all users of the system, including root, are stored. This is information you definitely do not want to be out in the open in this way.


Another exploit is the XSS exploit, also known as Cross-Site Scripting vulnerability. This involves any site that uses cookies to store user names and passwords for authentication. The intent of XSS exploiting is to steal the cookie of a user of the site so that the attacker can then impersonate the targeted user. This can easily be prevented by filtering the information that the code has to process, but seeing that third party extension creators are usually doing this in their spare time and might not always be too concerned or aware of security risks, some exploits like these might slip through the cracks, and it might even take a while before they get noticed. And it can happen that people with bad intentions notice these flaws earlier than people with good intentions. (For more information on what XSS exploits are and how to (ab)use them, check here: http://www.steve.org.uk/Security/XSS/Tutorial/)


This is a downside of open source technology in general. Although usually flaws get noticed sooner than on a commercial closed source platform and get fixed sooner, the source is open and hackers can actively probe for security issues by checking the code. On a commercial closed source platform, vulnerabilities and exploits are much harder to detect by people that do not have access to the source code. Even if a vulnerability is around for longer than it would have been in it’s open source counterpart, there is a good chance that the vulnerability is detected and fixed before it is discovered by others.


But even then, commercial products have a tendency to incorporate open source code, as was shown in the recent Heart Bleed crisis, where every product that used OpenSSL was vulnerable to an essentially very simple hack (for a brief explanation of the Heart Bleed bug, check here.


This vulnerability affected commercial, non-commercial, open and closed source software alike. So in the end, security is what you have until someone finds a vulnerability and exploits it, no matter what product you choose for.


zPanel vs. Other Control Panels


For as far as quality goes, there is no real reason why not to use zPanel in favor of another control panel. zPanel is very complete and mature, and offers enough functionality for a hosting provider or a starting reseller. Especially for the price, which is free!


If you prefer a more open system which allows you to make modifications to yourself ‘easily’, zPanel might actually be the way to go and should seriously be considered. However if you want to simply have a proven product with a good reputation and credibility, with a large user base, then one of the commercially available options might be the better choice for you.


In a Nutshell…


zPanel in maturity and quality compares to solutions like cPanel. For a hosting provider, there is no reason to shun zPanel as such, especially if it can win you over a few more clients. Security will always be an issue, even with commercial products, and is no reason to not try open source products. For the sake of argument I could say that with an open source product, you are at all times much better informed than with a commercial closed source product. You can simply look through the code and see for yourself how things are done. You really know what you are getting, and if that is not enough, you can extend it into what you need, which might not be as easy with a commercial closed source product.

By Richard Beckker
Categories: Articles
No Comments Leave a Comment
Leave a Comment