Pterodactyl® is a free, open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
OTHER License
Bot releases are hidden (Show)
Published by DaneEveritt over 7 years ago
[beta.2]
— Suspended servers now show as suspended.[beta.2]
— Corrected the information when a task has not run yet.[beta.2]
— Fixes filemanager 404 when editing a file within a directory.[beta.2]
— Fixes exception in tasks when deleting a server.[beta.2]
— Fixes bug with Terarria and Voice servers reporting a TypeError: Service is not a constructor
in the daemon due to a missing service configuration.[beta.2]
— Fixes password reset form throwing a MethodNotAllowed error when accessed.[beta.2]
— Fixes invalid password bug when attempting to change account email address.[beta.2]
— New attempt at fixing the issues when rendering files in the browser file editor on certain browsers.[beta.2]
— Fixes broken auto-deploy time checking causing no tokens to work.[beta.2]
— Fixes display of subusers after creation.[beta.2]
— Fixes bug throwing model not found exception when editing an existing subuser.HTTP/404
missing server error (requires [email protected]
)8ae04150b684d91c21f9207a412ea3c78148aca4adb96fdea9427feb18f0d828 Panel-0.6.0-beta.2.1.tar.gz
Published by DaneEveritt over 7 years ago
[beta.1]
— Fixes task management ststem not running correctly.[beta.1]
— Fixes API endpoint for command sending missing the required class definition.[beta.1]
— Fixes panel looking for an old compiled classfile that is no longer used. This was causing errors relating to missing class DingoAPI
when trying to upgrade the panel.[beta.1]
— Should fix render issues when trying to edit some files via the panel file editor.c43da32123897bbf505c3ef8f126e038c0bbe48fc2d0d6bd843640254a873521 Panel-0.6.0-beta.2.tar.gz
Published by DaneEveritt over 7 years ago
[pre.7]
— Fixes bug with subuser checkbox display.[pre.7]
— Fixes bug with injected JS that was causing <!DOCTYPE html>
to be ignored in templates.[pre.7]
— Fixes exception thrown when trying to delete a node due to a misnamed model.[pre.7]
— Fixes username vanishing on failed login attempts.[pre.7]
— Terminal is now fixed to actually output all lines, rather than leaving one hanging in neverland until the browser is resized..env
variable.Permission::list()
to make views way cleaner and make adding to views significantly cleaner.[pre.7]
— Sidebar for file manager now is a single link rather than a dropdown.Pterodactyl\Events\Auth\FailedPasswordReset
event that can be caught if needed to perform other actions.routes/
folder, and use a significantly cleaner syntax. Controller names and methods have been updated as well to be clearer as well as avoid conflicts with PHP reserved keywords.[pre.7]
— Corrected a config option for spigot servers to set a boolean value as boolean, and not as a string.c7b67d4aa8a167b8e15040b1dd07a56d9826e84fe5335b8c43fbd36373269eac Panel-0.6.0-beta.1.tar.gz
Published by DaneEveritt over 7 years ago
⚠️ READ ME ⚠️ This is a pre-release version of Pterodactyl Panel, do not install this on mission critical servers or use for services that cannot experience hiccups and potential downtime. While I strive to keep as many bugs out of releases as possible, the v0.6.0
branch is receiving many major core updates and functionality changes. Please do not install this release and then complain when something doesn't work and we don't fix it immediately.
As noted in the documentation in a giant red box: do not install these pre-releases if you are using custom services. THESE RELEASES WILL DESTROY THOSE CUSTOM SERVICES AND BREAK YOUR SERVERS USING THEM.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
[pre.6]
— Addresses misconfigured console queue that was still sending data way to quickly thus causing the console to explode on some devices when large amounts of data were sent.[pre.6]
— Fixes bug in allocation parsing for a node that prevented adding new allocations.[pre.6]
— Fixes typo in migrations that wouldn't save custom regex for non-required variables.[pre.6]
— Fixes auto-deploy checkbox on server creation causing validation error.945a0defe08c54cc5d8894cb9c127c9f3da3b77fe1cf79bb3f60d366123653c2 Panel-0.6.0-pre.7.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.5]
— Console based server rebuild tool now actually rebuilds the servers with the correct information.[pre.5]
— Fixes typo and wrong docker contaienr for certain applications.[pre.5]
— Added foreign key to pack_id
to ensure nothing eds up breaking there.81f131608d6cac6ed2c7e78f39773528b603d0de0ff93f2aa75f956c141c6416 Panel-0.6.0-pre.6.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.4]
— Services and Pack magement overhauled to be faster, cleaner, and more extensible in the future.UnhandledException
display errors now include a clearer error that directs admins to the program's logs.Pterodactyl\Models
classes that would flood this changelog if they were all included. All required migrations included to handle database changes.[pre.4]
— Service pack files are now stored in the database rather than on the host system to make updates easier.env()
and moved to using config()
throughout non config/*.php
files.192.168.1.1/z
) when adding allocations that could cause over 4 million records to be created at once.[pre.4]
— Fixes bug preventing server updates from occurring by the system due to undefined Auth::user()
in the event listener.[pre.4]
— Fixes Server::byUuid()
caching to actually clear the cache for all users, rather than the logged in user by using cache tags.[pre.4]
— Fixes server listing on frontend not displaying a page selector when more than 10 servers exist.[pre.4]
— Fixes non-admin users being unable to create personal API keys.[pre.4]
— Multiple clients refreshing the console no longer clears the console for all parties involved... sorry about that.[pre.4]
— Fixes bug in environment setting script that would not remeber defaults and try to re-assign values.humanReadable
macro on File
facade that accepts a file path and returns a human readable size. (File::humanReadable(path, precision)
)Server::create
will fail due to changed data structure.66d03e2c0d92af595fc22a754682a1791bc1f10a249bf2410940bf274d92af78 Panel-0.6.0-pre.5.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.3]
— Fixes bug in cache handler that doesn't cache against the user making the request. Would have allowed for users to access servers not belonging to themselves in production.[pre.3]
— Fixes misnamed MySQL column that was causing the inability to delete certain port ranges from the database.[pre.3]
— Fixes bug preventing rebuilding server containers through the Admin CP.28d41e596cc12c2bb9288f30475012ad092e8a0180f1c6b78c5784ea59e700bc Panel-0.6.0-pre.4.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.2]
— Fixes bug where servers could not be manually deployed to nodes due to a broken SQL call.[pre.2]
— Fixes inability to edit a server due to owner_id issues.[pre.2]
— Fixes bug when trying to add new subusers.php artisan pterodactyl:mail
to update.[pre.2]
— Fixes inability to delete accounts due to SQL changes.[pre.2]
— Fixes bug with checking power-permissions that showed the wrong buttons. Also adds check back to sidebar to only show options a user can use.[pre.2]
— Fixes allocation listing on node allocations tab as well as bug preventing deletion of port.[pre.2]
— Fixes bug in services that prevented saving updated settings or creating new services.[pre.2]
— File Manager now displays relevant information on all screen sizes, and includes better button clicking mechanics for dropdown menu.cb9c92d26cc89c8771f53d7b0b9be2fe2402606883335e9a72599cdb3d3fe6e4 Panel-0.6.0-pre.3.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.1]
— Fixes bug with database seeders that prevented correctly installing the panel.[pre.1]
— Moved around navigation bar on fronted to make it more obvious where logout and admin buttons were, as well as use the right icon for server listing.6d1fb1aaecdc476b8024706a03e17e82c543c515e068fc9ecddd5f43f4013aae Panel-0.6.0-pre.2.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
pterodactyl:node
as well as locations via pterodactyl:location
.$fillable
rather than $guarded
.Server::getUserDaemonSecret(Server $server)
was removed and replaced with User::daemonSecret(Server $server)
in order to clean up models.Server::getByUUID()
was replaced with Server::byUuid()
as well as various other functions through-out the Server model.Server::getHeaders()
was removed and replaced with Server::getClient()
which returns a Guzzle Client with the correct headers already assigned.cd31684982077b724658d7e761484e0c11314cd48e8faf6a5a198f01aece1518 Panel-0.6.0-pre.1.tar.gz
Published by DaneEveritt over 7 years ago
Sunday, February 5th, 2016, 02:20 GMT
Affected Versions: v0.5.0-pre.3
through v0.5.6
Attn:
Today (06/02/2016) at approximately 02:20 GMT we became aware of a flaw in a core authentication validation function within our software. This flaw allows users who know the UUID or Short-UUID (sUUID) for a server to modify the application's URL and view the server overview page, even when they do not have permissions to do so.
This security flaw was introduced in commit 125856d
[1] and is present in all versions of Pterodactyl Panel from v0.5.0-pre.3
through v0.5.6
. The cause of this flaw was a minor change to core validation code [2] which was intended to allow validating against either a UUID or sUUID for servers. Unfortunately, this change modified the SQL statement to be in a different order than it was previously, and caused our statement to always evaluate to true.
The SQL query that was intended is:
select * from `servers` where (`uuidShort` = ? or `uuid` = ?) and `id` in (?, ?, ?) and `servers`.`deleted_at` is null limit 1
The SQL query that was being built was:
select * from `servers` where (`uuidShort` = ? or `uuid` = ? and `id` in (?, ?, ?)) and `servers`.`deleted_at` is null limit 1
For the less SQL inclined, effectively this check was validating as true immediately because the sUUID (uuidShort) was matching within the parenthesis and the rest of the checking was terminated.
It is important to note that this vulnerability did not disclose any sensitive information to users who did not already have permission to access the server. Unapproved users were able to view the console overview page and see the server name, however due to our additional layers of application security they were not authenticated against the daemon, and were therefore unable to see the console, send commands, or otherwise control the server or daemon. Additional permission layers in the panel prevented users from being able to access any other server-specific pages.
We have addressed this vulnerability as of 4a320c2
[3] in our mainline release branch and 0d61417
[4] in our new-feature branch which will be merged into the development branch.
This notice was posted as part of our continued commitment to our product's security. Please do not hesitate to get in contact with us via Discord or email ([email protected]) if you should have any comments, questions, or concerns about the content of this notification.
[1] - https://github.com/Pterodactyl/Panel/commit/125856d92f02f7cc2182d058fe3173b488111d31
[3] - https://github.com/Pterodactyl/Panel/commit/4a320c29a8d7ab8874b34e92c11925f0bac7687a
[4] - https://github.com/Pterodactyl/Panel/commit/0d61417814db55d840f6b04aeee4c604bbeb991a
307174597cca7e0b3527c1916cfcdc058449e1d9867fed0a54e778dc4430366b Panel-0.5.7.tar.gz
Published by DaneEveritt almost 8 years ago
et
, Dutch nl
, Norwegian nb
(partial), Romanian ro
, and Russian ru
. Interested in helping us translate the panel into more languages, or improving existing translations? Contact us on Discord and let us know.strings.password
to language file for English.0
would cause the panel to reject the value thinking it did not exist.7d3d121c9bd4d45536294e3237e51212bc04814be72d9f30e344af4e00431a87 Panel-0.5.6.tar.gz
Published by DaneEveritt almost 8 years ago
96ea9b5e0d0b4cb73305c4c28924d2663d3f6a2f91d08b292a1c522d0d81bfcf Panel-0.5.5.tar.gz
Published by DaneEveritt almost 8 years ago
b2c390786583db97ede7f1ffaa765026bd9e9d54b01e92bf246356030ff3ee89 Panel-0.5.4.tar.gz
Published by DaneEveritt almost 8 years ago
6dfb2cbc95b17afc0d8f366cefd62140b09bc6ade79a066c6e1b25fb4f141628 Panel-0.5.3.tar.gz
Published by DaneEveritt almost 8 years ago
#e#
formatting within it when it comes to creating databases.node:<name>
when filtering servers now properly filters the servers by node name, rather than looking for the node ID.owner:<email>
when filtering servers now properly filters by the owner's email rather than ID.Pterodactyl Panel
as the company name if one is not set.10g
and have it converted to MB automatically.0a9e93ec8c93d361a510bce836caa3d1c89d75a02f654d077fd6438fb94f464e Panel-0.5.2.tar.gz
Published by DaneEveritt almost 8 years ago
This bug was reported to us by a user (@Ferry#1704) on Discord on
Monday, November 7th, 2016.
It was disclosed that it was possible to bypass the 2FA checkpoint by
clicking outside of the modal which would prompt the modal to close,
but not submit the form. The user could then press the login button
which would trigger an error. Due to this error being triggered the
authentication attempt was not cancelled. On the next page load the
application recognized the user as logged in and continued on to the
panel.
At no time was it possible to login without using the correct email
address and password.
As a result of this bug we have re-factored the Authentication code for
logins to address the persistent session. Previously accounts were
manually logged back out on 2FA failure. However, as this bug
demonstrated, causing a fatal error in the code would prevent the
logout code from firing, thus preserving their session state.
This commit modifies the code to use a non-persistent login to handle
2FA checking. In order for the session to be saved the application must
complete all portions of the login without any errors, at which point
the user is persistently authenticated using Auth::login().
This resolves the ability to cause an exception and bypass 2FA
verification.
We would like to thank Ferry
for the responsible and timely disclosure of this security bug. If you believe you have found such a bug, please do not hesitate to get in contact with us on Discord, or by emailing us [email protected]
.
162e6bf9097aecceacf734b6d6cc5fc8b0dfd034d2fcdc4b3441373ae2f11e8a Panel-0.5.1.tar.gz
Published by DaneEveritt almost 8 years ago
After nearly a month in the works, version v0.5.0
is finally here! 🎉
/api/me/*
.user_id
when using the API to create users.?daemon=true
flag to /api/servers/:id
will return the daemon stats as well as the daemon_token
if using HTTPS.auto_deploy=true
to the API to auto-select a node and allocation given a location.composer.json
file to prevent users installing slightly different versions with different features or bugs.HTTP/1.1 200
and a JSON element with the user/server/node's ID.Server::getbyUUID()
now accepts either the uuidShort
or full-length uuid
for server identification.servers:
) have been changed to return a single array of all associated items. Please see the updated documentation for how this change might effect your API use./api/users/:id
now includes an array of all servers the user is set as the owner of.Server\AjaxController@postSetConnection
is now Server\AjaxController@postSetPrimary
and accepts one post parameter of allocation
rather than a combined ip:port
value.1.5.0
to match the latest release. Correlates with setting hard dependencies in the Daemon.e00eca847bcccbb538bf6d63416c0a383cb98f140822c0276c37c689ac32458d Panel-0.5.0.tar.gz
Published by DaneEveritt almost 8 years ago
This is the second release candidate for [email protected]
and is considered to be feature complete. No new features will be added to the 0.5.0
line. This release is focused on finding and fixing any remaining bugs in the system. If there are few or no bugs we will continue on to an official production-ready release.
This release requires [email protected]
.
Users successfully running RC.1 need not update at this time as the upgrades affect only migration code.
Published by DaneEveritt almost 8 years ago
This is the first release candidate for [email protected]
and is considered to be feature complete. No new features will be added to the 0.5.0
line. This release is focused on finding and fixing any remaining bugs in the system. If there are few or no bugs we will continue on to an official production-ready release.
This release requires [email protected]
.
BUNGE_VERSION
-> BUNGEE_VERSION
).composer.json
file to prevent users installing slightly different versions with different features or bugs.