Improper Access Control in alanaktion/mchostpanel


Reported on

Sep 10th 2021

✍️ Description

The php file install.php creates an admin account using POST parameter user, pass, dir, ram, port without any access control enforced nor check if the admin account has been created nor check if the file .installed exists before account creation.

It is possible for any network user who can access install.php to create a high privileged account, compromising the integrity and confidentiality of the application.


Check if file .installed exists before creating admin account.

We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 3 months ago
Alan Hardman validated this vulnerability 3 months ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman
3 months ago


Thanks for all the detail in the report, it is really helpful to quickly verify the issue.

I was apparently much worse at web dev many years ago. Only checking for the file when rendering the HTML is incredibly dumb.

Viky submitted a
3 months ago
3 months ago


Hopefully this fixes the issue.

Alan Hardman confirmed that a fix has been merged on 8ecb8a 3 months ago
Viky has been awarded the fix bounty
install.php#L4-L9 has been validated
3 months ago


@admin give me a cve please <3

Jamie Slome
3 months ago


@vikychoi - we cannot assign a CVE here as this software is not distributable through a package or distribution mechanism.