In a nutshell: Backdoor at least does not exist in the open-source version. However, all of the server-side Cloudflare partner panels, including CFPMP, or Ze3kr's panel are not safe because of the man-made calamity. Further, only the offline panels, which can be hosted on GitHub pages(though haven't one yet), are safe.  

 

TL;DR


Recently, I purchased a Cloudflare partner API account and tried to find a panel to deploy my service more conveniently. When I tried to deploy the Ze3kr's cf panel, my friend told me his panel has a backdoor and sent me the CloudHammer's post link.    

The original and translated text of CloudHammer's post published in Telegram

In the post, CloudHammer obviously accused Ze3kr's panel of having a backdoor, which should be in charge of the website being marked as the "phishing website." After then, CloudHammer recommended using CFPMP.  

 
First, I searched the backdoor news about Ze3kr on Google. Unexpectedly, there's no other information than CloudHammer's accusation post.  

Google search results in Mandarin, English

Personally, I don't think Ze3kr's program is not widespread enough to have insufficient information. Not enough(or even no) evidence can be found via the search engine. So I started to doubt whether the accusation is true or not. Meanwhile, I also want to find how CFPMP is safer than Ze3kr's panel.  

 
(P.S. I will talk about the scandal of Ze3kr's official instance later.)  

 

Trying to find how both Ze3kr's panel and CFPMP work and how Ze3kr inserts backdoor code, I tried to find the database-related code and remote server IP/address. I consume 1 hour but can find neither of them in Ze3kr's code. Then I deploy both of them on my server, and the result is out of my expectation.  
Both Ze3kr's panel and CFPMP use Cookie to identify clients. However, Ze3kr's panel store user's Cloudflare account on users' browser clients via Cookie in plain text and CFPMP store them in the server storage via PHP Session files in plain text.  

 

It can be easily checked: if you deploy CFPMP and send the request after you input your Cloudflare's username/password, the server will return "PHPSESSID" in the Cookie as your identifier. You cannot find any of your Cloudflare information after then, but all things work: This is because the server already stored your account info and send the request to Cloudflare when you want the program to do something. Meanwhile, Ze3kr's store the account info in Cookie. Only you send the requests to the panel with Cloudflare account info can the panel handle the process correctly.  

Cookies on Client's browser

N.B. Though you also can find "PHPSESSID" in Cookie if using Ze3kr's panel, after deleting the related value, it still works because the program does not rely on the PHP session files. The program won't generate a new value called "PHPSESSID" anymore except that you log out(or delete all cookies).  

 

Compared to CFPMP, Ze3kr's panel(referring to the open-source one) does not store account info intentionally, but CFPMP does. I cannot understand why CloudHammer said CFPMP is safer and recommended that then, but I am afraid I won't agree.  

 

So, is Ze3kr's panel safe if others deploy it?  

 

The reason I am using "others" is because of the scandal of Ze3kr's official instance. In brief, it is gossip about that someone found his official instance store API information and use it for illegal use. Again, I cannot find any related information from the search engine. In this way, I only can consider it as a rumor. It is important, and this is the reason I quote this thing here.  

Nevertheless, it does not hamper the discussion. To conclude, because it is a server-side thing, only if it is deployed by yourself, you cannot trust any panel deployed by others.  

 

Not only Ze3kr's panel or CFPMP but also nearly all PHP-based, even all server-side programs can not be trusted. Except that the deployer modifying the code by themself, the web server, like Nginx, can also record your account info into the log.
Mentioned earlier, Ze3kr's panel store the account info in the user's Cookie. But all deployers, including all CDN provider, can record this on purpose via the webserver software, like Nginx. Ze3kr may do the recording on his official instance, but how about others?  

Here is a simple example, if you modify the log format in Nginx configuration file like this:

log_format  main  '"$request" $status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_cookie"';

You will get result like this:

"GET /changes/ HTTP/2.0" 200 2668 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "PHPSESSID=some_php_session; tlo_cached_main=1; cloudflare_email=some%40email.com; user_key=random_user_key; user_api_key=random_api_key"

I redact my sensitive information, but it is enough for understanding.  

 

CloudHammer's conclusion is wrong. If it is about using Ze3kr's panel is not safe, they should not recommend other panels but offline programs. We should concentrate on the man who deploys the program, the service he is using, but not the program itself.(or there's an offline-version panel that we can use) Even more, CFPMP has a more severe problem: store the data in PHP session files on purpose.  

 

Here is an example: If you are using the panel deployed by the CF partner account provider himself, you can trust him in most time. The reason is simple: your account is provided by himself, and he wants to make money from you. You can choose what to do based on different situations.  

 

In the end: If there's a backdoor do exist in the Ze3kr's open-source version, or there's anything wrong about CFPMP, please tell me on Twitter. I will update or revise my post. But for now, I cannot find any evidence about the backdoor and the reason why CFPMP is safer.

I have no relationship with Ze3kr, Netrvin, or CloudHammer.