I've found a remote code execution bug on your host via PHP

I need admin contact email, or if we can chat on Discord (it would be even better):
Discord: dwscp#8305

And please, only admins.

Thanks,
Nurudin.

If you would like to contact us, you can report the vulnerability to hello@infinityfree.net.

If the vulnerability is in the control panel on https://cpanel.epizy.com, or on any of the services accessed through it, please note that we don’t build or operate that software. You will need to contact iFastNet about that, you can reach them through their support portal on https://support.ifastnet.com

4 Likes

Alright. Also consider adding a security.txt to your host.
It should be under: /.well-known/security.txt

Thanks!

1 Like

Also, note if this includes using php exec and shell_exec, they are restricted and banned, I have tried using php exec, they do not work.

2 Likes

Yes, it exactly includes those.
Edit 1: Well, the behavior of the exploit works like shell_exec.
Lets say its something similar to it :wink:

Just to let you know, we (InfinityFree) only build and operate the tools under the infinityfree.net domain. Other parts of the free hosting platform (whether branded as epizy.com, byet.org or something else) is typically not operated by us but by iFastNet. So if there is some kind of shell exploit on the hosting itself, you need to contact iFastNet about it. All we can do is pass the message along.

Also, we don’t have a formal bug bounty program yet, so we don’t have a text file on our website with information about the bug bounty program.

4 Likes

Lol, if you have an exploit i doubt it works, I tried using workarounds like system() and using scripts to attempt multiple execution commands at once ON MY OWN PC WITH THE SAME LEVEL OF SECURITY AND RESTRICTIONS AS FREE HOSTS HAVE, like disabling all exec/shell_exec/system() commands/ running php in safe mode, and failed. But as Admin said, make a support ticket at support.ifastnet.com, and they shall look into it.

I got more details about the exploit. It does seem valid, however it’s a problem with the free web hosting servers themselves. Again, we are only reseller of iFastNet’s platform, so any issues can only be fixed by iFastNet themselves.

3 Likes

The iFastNet staff have rolled out a fix,
Big thanks to the InfinityFree support staff for leading me into the right direction.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.