It may work as it is but i identified multiple potential security issues (around 11) total found and i do not recommend, unless only in testing enviroment unless fixed. However, I am not making any accusations. The extension does not clearly state whether it is secure or not, but it does claim that “the code includes both fallback mechanisms and security features” which naturally gives buyers a level of trust and expectation regarding its safety.
The SSO secret key gets exposed in plain URL query strings (visible in logs, browser history, proxies). Also, redirect URLs from the panel are never validated, meaning a compromised panel could redirect your users anywhere. Anyone who can see server logs, network traffic, or even your browser history can steal that key and log in as any user on your panel.
The extension blindly trusts whatever URL the panel tells it to redirect to. If someone hacks your panel, they can make the "Manage Server" button send your customers to a fake/phishing website instead.
If the panel returns a webpage instead of proper data, the extension tries to extract a redirect link from the raw HTML. This is dangerous because it trusts whatever the panel says without checking it.
If a customer can set a custom server name, that name goes straight to Pterodactyl with zero filtering. This could allow someone to inject malicious content that appears in your panel dashboard.
When a server is created, egg variables (like DATABASE_PASSWORD, ADMIN_PASSWORD) can be overridden by whatever is in the order settings, meaning a clever customer could potentially manipulate sensitive server configuration values at order time.
The extension never explicitly requires a valid SSL certificate when talking to your panel. If someone intercepts traffic between Paymenter and Pterodactyl (man-in-the-middle attack), they could read or modify API calls including your admin API key.
If someone enters -1, 0, or a non-number as a port in the port array, it goes straight to the API without any check. This could cause unexpected behavior or be exploited to mess with port allocation.
The extension writes user IDs, panel URLs, and full error stack traces to your log files. If anyone gains read access to your logs (a hacker, a disgruntled employee), they get a detailed map of your infrastructure.
Server ID guessing, the error messages behave differently depending on whether a server exists or not. A bad actor could loop through IDs and figure out exactly which service IDs have active servers on your panel.
The CPU pinning field (e.g. 0,2-4) is validated on the settings form, but when actually creating the server that value is used without being checked again. Someone bypassing the form could send garbage values directly to the API.
If two server creation requests for the same order fire at the same time (e.g. a double-click or a billing glitch), both could try to create the same server simultaneously and cause errors or duplicate entries.
Some issues are catched from the Pterodactyl panel directly, however Pterodactyl does NOT guarantee it will stay like that forever, and the code may change at any time.
Overall the SSO implementation is particularly concerning, transmitting secrets via GET parameters is a basic security mistake that exposes credentials to anyone with access to server logs or network traffic.
Display a Custom MOTD whenever a Server is offline
Not yet rated
9 purchases
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.