Improper Access Control in alanaktion/mchostpanel


Reported on

Sep 10th 2021

✍️ Description

The php file install.php creates an admin account using POST parameter user, pass, dir, ram, port without any access control enforced nor check if the admin account has been created nor check if the file .installed exists before account creation.

It is possible for any network user who can access install.php to create a high privileged account, compromising the integrity and confidentiality of the application.


Check if file .installed exists before creating admin account.

We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 2 years ago
Alan Hardman validated this vulnerability 2 years ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman
2 years ago


Thanks for all the detail in the report, it is really helpful to quickly verify the issue.

I was apparently much worse at web dev many years ago. Only checking for the file when rendering the HTML is incredibly dumb.

Viky submitted a
2 years ago
2 years ago


Hopefully this fixes the issue.

Alan Hardman marked this as fixed with commit 8ecb8a 2 years ago
Viky has been awarded the fix bounty
This vulnerability will not receive a CVE
install.php#L4-L9 has been validated
2 years ago


@admin give me a cve please <3

Jamie Slome
2 years ago


@vikychoi - we cannot assign a CVE here as this software is not distributable through a package or distribution mechanism.

to join this conversation