16 May 2013
An average flame on the zPanel’s support forums has degenerated into a security incident that has rendered the company’s website inaccessible to customers as a precaution.
According to a news report by Ars Technica, the conflict started when ZPanel support member Nigel Caldwell called user joepie91 a "fu**en little know it all" as he claimed that websites using ZPanel in combination with some modules could result in exploitation.
Shortly after the incident, joepie91 posted a proof of concept exploit that could be injected into a ZPanel template to trigger the bug.
In a couple of hours, Caldwell’s account was compromised and used to send messages to other users.
"Recently we've realized that we cannot produce any secure code and have decided to shut down the project," reads the spammed message. “Goodbye.”
Other forum posts claimed that some webservers had been compromised via the exploit posted by joepie91.
"It would appear that the attacker(s) have managed to get access through a member of our team's account (likely they found a password by hacking into their personal e-mail account or something along those line which gave them access to our forums but NOT our servers... the servers have been shut down as a precaution)," wrote Bobby Allen, ZPanel's lead developer.