TL;DR — Authentication verification code was evaluating true wrongly, which allowed users who were able to guess, or previously knew a servers (s)UUID to access the overview page. No sensitive information was disclosed, nor were users who did not already have approved access able to see or do anything with the server.
Security Vulnerability Disclosure
Sunday, February 5th, 2016, 02:20 GMT
Today (06/02/2016) at approximately 02:20 GMT we became aware of a flaw in a core authentication validation function within our software. This flaw allows users who know the UUID or Short-UUID (sUUID) for a server to modify the application's URL and view the server overview page, even when they do not have permissions to do so.
This security flaw was introduced in commit
125856d  and is present in all versions of Pterodactyl Panel from
v0.5.6. The cause of this flaw was a minor change to core validation code  which was intended to allow validating against either a UUID or sUUID for servers. Unfortunately, this change modified the SQL statement to be in a different order than it was previously, and caused our statement to always evaluate to true.
The SQL query that was intended is:
select * from `servers` where (`uuidShort` = ? or `uuid` = ?) and `id` in (?, ?, ?) and `servers`.`deleted_at` is null limit 1
The SQL query that was being built was:
select * from `servers` where (`uuidShort` = ? or `uuid` = ? and `id` in (?, ?, ?)) and `servers`.`deleted_at` is null limit 1
For the less SQL inclined, effectively this check was validating as true immediately because the sUUID (uuidShort) was matching within the parenthesis and the rest of the checking was terminated.
It is important to note that this vulnerability did not disclose any sensitive information to users who did not already have permission to access the server. Unapproved users were able to view the console overview page and see the server name, however due to our additional layers of application security they were not authenticated against the daemon, and were therefore unable to see the console, send commands, or otherwise control the server or daemon. Additional permission layers in the panel prevented users from being able to access any other server-specific pages.
We have addressed this vulnerability as of
4a320c2  in our mainline release branch and
0d61417  in our new-feature branch which will be merged into the development branch.
This notice was posted as part of our continued commitment to our product's security. Please do not hesitate to get in contact with us via Discord or email (email@example.com) if you should have any comments, questions, or concerns about the content of this notification.
 - https://github.com/Pterodactyl/Panel/commit/125856d92f02f7cc2182d058fe3173b488111d31
 - https://github.com/Pterodactyl/Panel/commit/125856d92f02f7cc2182d058fe3173b488111d31#diff-3dd8f3d382459350ae3d8c43039ed472R180
 - https://github.com/Pterodactyl/Panel/commit/4a320c29a8d7ab8874b34e92c11925f0bac7687a
 - https://github.com/Pterodactyl/Panel/commit/0d61417814db55d840f6b04aeee4c604bbeb991a