v0.6.3 (Courageous Carniadactylus)
This is a critical security release. All users should update immediately.
Attn: Critical Pterodactyl Security Disclosure
On June 26th, 2017 at approximately 15:00 U.S. Central Time we were alerted to a critical vulnerability in the display of server output in the panel by Trixter#0125
on Discord. An investigation was launched at 18:00 and subsequent fix was pushed to the develop
branch at 22:36.
This vulnerability allowed malicious users to execute a specifically crafted command on a running game server and execute arbitrary code as a console user. This exploit did not require any access to the panel, or advanced knowledge of the system setup. At no time was any private user information or data accessible via this exploit, and it did not allow access to the host system.
This exploit is present in all versions of the Panel from v0.4.0-beta
to v0.6.2
. You should immediately upgrade your panel to patch this issue. We will not be back-porting a fix to the v0.5.x
branch, anyone who is currently using that version should update to the latest releases.
Due to the severity of this vulnerability we are purposely withholding specifics about this exploit in order to give affected individuals the chance to update. A full, detailed disclosure will be released on July 10th, 2017.
Fixed
- [Security] — Addresses an oversight in how the terminal rendered information sent from the server feed which allowed a malicious user to execute arbitrary commands on the game-server process itself by using a specifically crafted in-game command.
Changed
- Removed
jquery.terminal
and replaced it with an in-house developed terminal with less potential for security issues.
SHA256 Checksum
865326ff67a091a9830ab50e944cef7f3f41ae4a558e53011bb93f022002bc32 v0.6.3.tar.gz