Pterodactyl® is a free, open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
OTHER License
Bot releases are visible (Hide)
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.3]
— Fixes bug in cache handler that doesn't cache against the user making the request. Would have allowed for users to access servers not belonging to themselves in production.[pre.3]
— Fixes misnamed MySQL column that was causing the inability to delete certain port ranges from the database.[pre.3]
— Fixes bug preventing rebuilding server containers through the Admin CP.28d41e596cc12c2bb9288f30475012ad092e8a0180f1c6b78c5784ea59e700bc Panel-0.6.0-pre.4.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.2]
— Fixes bug where servers could not be manually deployed to nodes due to a broken SQL call.[pre.2]
— Fixes inability to edit a server due to owner_id issues.[pre.2]
— Fixes bug when trying to add new subusers.php artisan pterodactyl:mail
to update.[pre.2]
— Fixes inability to delete accounts due to SQL changes.[pre.2]
— Fixes bug with checking power-permissions that showed the wrong buttons. Also adds check back to sidebar to only show options a user can use.[pre.2]
— Fixes allocation listing on node allocations tab as well as bug preventing deletion of port.[pre.2]
— Fixes bug in services that prevented saving updated settings or creating new services.[pre.2]
— File Manager now displays relevant information on all screen sizes, and includes better button clicking mechanics for dropdown menu.cb9c92d26cc89c8771f53d7b0b9be2fe2402606883335e9a72599cdb3d3fe6e4 Panel-0.6.0-pre.3.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
[pre.1]
— Fixes bug with database seeders that prevented correctly installing the panel.[pre.1]
— Moved around navigation bar on fronted to make it more obvious where logout and admin buttons were, as well as use the right icon for server listing.6d1fb1aaecdc476b8024706a03e17e82c543c515e068fc9ecddd5f43f4013aae Panel-0.6.0-pre.2.tar.gz
Published by DaneEveritt over 7 years ago
This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!
pterodactyl:node
as well as locations via pterodactyl:location
.$fillable
rather than $guarded
.Server::getUserDaemonSecret(Server $server)
was removed and replaced with User::daemonSecret(Server $server)
in order to clean up models.Server::getByUUID()
was replaced with Server::byUuid()
as well as various other functions through-out the Server model.Server::getHeaders()
was removed and replaced with Server::getClient()
which returns a Guzzle Client with the correct headers already assigned.cd31684982077b724658d7e761484e0c11314cd48e8faf6a5a198f01aece1518 Panel-0.6.0-pre.1.tar.gz
Published by DaneEveritt over 7 years ago
Sunday, February 5th, 2016, 02:20 GMT
Affected Versions: v0.5.0-pre.3
through v0.5.6
Attn:
Today (06/02/2016) at approximately 02:20 GMT we became aware of a flaw in a core authentication validation function within our software. This flaw allows users who know the UUID or Short-UUID (sUUID) for a server to modify the application's URL and view the server overview page, even when they do not have permissions to do so.
This security flaw was introduced in commit 125856d
[1] and is present in all versions of Pterodactyl Panel from v0.5.0-pre.3
through v0.5.6
. The cause of this flaw was a minor change to core validation code [2] which was intended to allow validating against either a UUID or sUUID for servers. Unfortunately, this change modified the SQL statement to be in a different order than it was previously, and caused our statement to always evaluate to true.
The SQL query that was intended is:
select * from `servers` where (`uuidShort` = ? or `uuid` = ?) and `id` in (?, ?, ?) and `servers`.`deleted_at` is null limit 1
The SQL query that was being built was:
select * from `servers` where (`uuidShort` = ? or `uuid` = ? and `id` in (?, ?, ?)) and `servers`.`deleted_at` is null limit 1
For the less SQL inclined, effectively this check was validating as true immediately because the sUUID (uuidShort) was matching within the parenthesis and the rest of the checking was terminated.
It is important to note that this vulnerability did not disclose any sensitive information to users who did not already have permission to access the server. Unapproved users were able to view the console overview page and see the server name, however due to our additional layers of application security they were not authenticated against the daemon, and were therefore unable to see the console, send commands, or otherwise control the server or daemon. Additional permission layers in the panel prevented users from being able to access any other server-specific pages.
We have addressed this vulnerability as of 4a320c2
[3] in our mainline release branch and 0d61417
[4] in our new-feature branch which will be merged into the development branch.
This notice was posted as part of our continued commitment to our product's security. Please do not hesitate to get in contact with us via Discord or email ([email protected]) if you should have any comments, questions, or concerns about the content of this notification.
[1] - https://github.com/Pterodactyl/Panel/commit/125856d92f02f7cc2182d058fe3173b488111d31
[3] - https://github.com/Pterodactyl/Panel/commit/4a320c29a8d7ab8874b34e92c11925f0bac7687a
[4] - https://github.com/Pterodactyl/Panel/commit/0d61417814db55d840f6b04aeee4c604bbeb991a
307174597cca7e0b3527c1916cfcdc058449e1d9867fed0a54e778dc4430366b Panel-0.5.7.tar.gz
Published by DaneEveritt almost 8 years ago
et
, Dutch nl
, Norwegian nb
(partial), Romanian ro
, and Russian ru
. Interested in helping us translate the panel into more languages, or improving existing translations? Contact us on Discord and let us know.strings.password
to language file for English.0
would cause the panel to reject the value thinking it did not exist.7d3d121c9bd4d45536294e3237e51212bc04814be72d9f30e344af4e00431a87 Panel-0.5.6.tar.gz
Published by DaneEveritt almost 8 years ago
96ea9b5e0d0b4cb73305c4c28924d2663d3f6a2f91d08b292a1c522d0d81bfcf Panel-0.5.5.tar.gz
Published by DaneEveritt almost 8 years ago
b2c390786583db97ede7f1ffaa765026bd9e9d54b01e92bf246356030ff3ee89 Panel-0.5.4.tar.gz
Published by DaneEveritt almost 8 years ago
6dfb2cbc95b17afc0d8f366cefd62140b09bc6ade79a066c6e1b25fb4f141628 Panel-0.5.3.tar.gz
Published by DaneEveritt almost 8 years ago
#e#
formatting within it when it comes to creating databases.node:<name>
when filtering servers now properly filters the servers by node name, rather than looking for the node ID.owner:<email>
when filtering servers now properly filters by the owner's email rather than ID.Pterodactyl Panel
as the company name if one is not set.10g
and have it converted to MB automatically.0a9e93ec8c93d361a510bce836caa3d1c89d75a02f654d077fd6438fb94f464e Panel-0.5.2.tar.gz
Published by DaneEveritt almost 8 years ago
This bug was reported to us by a user (@Ferry#1704) on Discord on
Monday, November 7th, 2016.
It was disclosed that it was possible to bypass the 2FA checkpoint by
clicking outside of the modal which would prompt the modal to close,
but not submit the form. The user could then press the login button
which would trigger an error. Due to this error being triggered the
authentication attempt was not cancelled. On the next page load the
application recognized the user as logged in and continued on to the
panel.
At no time was it possible to login without using the correct email
address and password.
As a result of this bug we have re-factored the Authentication code for
logins to address the persistent session. Previously accounts were
manually logged back out on 2FA failure. However, as this bug
demonstrated, causing a fatal error in the code would prevent the
logout code from firing, thus preserving their session state.
This commit modifies the code to use a non-persistent login to handle
2FA checking. In order for the session to be saved the application must
complete all portions of the login without any errors, at which point
the user is persistently authenticated using Auth::login().
This resolves the ability to cause an exception and bypass 2FA
verification.
We would like to thank Ferry
for the responsible and timely disclosure of this security bug. If you believe you have found such a bug, please do not hesitate to get in contact with us on Discord, or by emailing us [email protected]
.
162e6bf9097aecceacf734b6d6cc5fc8b0dfd034d2fcdc4b3441373ae2f11e8a Panel-0.5.1.tar.gz
Published by DaneEveritt almost 8 years ago
After nearly a month in the works, version v0.5.0
is finally here! 🎉
/api/me/*
.user_id
when using the API to create users.?daemon=true
flag to /api/servers/:id
will return the daemon stats as well as the daemon_token
if using HTTPS.auto_deploy=true
to the API to auto-select a node and allocation given a location.composer.json
file to prevent users installing slightly different versions with different features or bugs.HTTP/1.1 200
and a JSON element with the user/server/node's ID.Server::getbyUUID()
now accepts either the uuidShort
or full-length uuid
for server identification.servers:
) have been changed to return a single array of all associated items. Please see the updated documentation for how this change might effect your API use./api/users/:id
now includes an array of all servers the user is set as the owner of.Server\AjaxController@postSetConnection
is now Server\AjaxController@postSetPrimary
and accepts one post parameter of allocation
rather than a combined ip:port
value.1.5.0
to match the latest release. Correlates with setting hard dependencies in the Daemon.e00eca847bcccbb538bf6d63416c0a383cb98f140822c0276c37c689ac32458d Panel-0.5.0.tar.gz
Published by DaneEveritt almost 8 years ago
This is the second release candidate for [email protected]
and is considered to be feature complete. No new features will be added to the 0.5.0
line. This release is focused on finding and fixing any remaining bugs in the system. If there are few or no bugs we will continue on to an official production-ready release.
This release requires [email protected]
.
Users successfully running RC.1 need not update at this time as the upgrades affect only migration code.
Published by DaneEveritt almost 8 years ago
This is the first release candidate for [email protected]
and is considered to be feature complete. No new features will be added to the 0.5.0
line. This release is focused on finding and fixing any remaining bugs in the system. If there are few or no bugs we will continue on to an official production-ready release.
This release requires [email protected]
.
BUNGE_VERSION
-> BUNGEE_VERSION
).composer.json
file to prevent users installing slightly different versions with different features or bugs.Published by DaneEveritt about 8 years ago
This is still a highly unstable version of Pterodactyl Panel. Normal users should continue to use v0.4.1
until a stable v0.5.0
release is out. This release is primarily for beta testers to play with new features and report bugs.
This release requires [email protected]
.
/api/nodes/{id}/config
endpoint. Only accepts SSL connections./api/me/*
.HTTP/1.1 200
and a JSON element with the user/server/node's ID.Server::getbyUUID()
now accepts either the uuidShort
or full-length uuid
for server identification.Published by DaneEveritt about 8 years ago
This is still a highly unstable version of Pterodactyl Panel. Normal users should continue to use v0.4.1
until a stable v0.5.0
release is out. This release is primarily for beta testers to play with new features and report bugs.
This release requires [email protected]
.
user_id
when using the API to create users.?daemon=true
flag to /api/servers/:id
will return the daemon stats as well as the daemon_token
if using HTTPS.getJavascript()
route for servers.servers:
) have been changed to return a single array of all associated items. Please see the updated documentation for how this change might effect your API use./api/users/:id
now includes an array of all servers the user is set as the owner of.ModelNotFoundException
if the location passed was not valid. Not normally an issue in the panel, but caused display issues for the API.1.5.0
to match the latest release. Correlates with setting hard dependencies in the Daemon.Published by DaneEveritt about 8 years ago
This is still a highly unstable version of Pterodactyl Panel. Normal users should continue to use v0.4.1
until a stable v0.5.0
release is out. This release is primarily for beta testers to play with new features and report bugs.
This release requires [email protected]
.
auto_deploy=true
to the API to auto-select a node and allocation given a location.Server\AjaxController@postSetConnection
is now Server\AjaxController@postSetPrimary
and accepts one post parameter of allocation
rather than a combined ip:port
value.Published by DaneEveritt about 8 years ago
0
883f3f69cf9a68d36b43b8d3d3dcacd5f5551be18c033edf40b381c4c6d85171 Panel-0.4.1-beta.tar.gz
Published by DaneEveritt about 8 years ago
This release requires Daemon v0.2.0!
start
or boot
to start your server rather than having to use the start button.5.3
and update dependencies.1ddfe9c4be2b166747b63ae30a1e402b14d0c7d5529e13b2c6757757bb2b74af Panel-0.4.0-beta.tar.gz
Published by DaneEveritt over 8 years ago
This release addresses a few underlying bugs in the panel and adds support for service management through the panel.