Just saw this posted at cpanel and security focus bugtrack. It's pretty serious so fix your servers up ASAP:

Problem:
<removed 'sploit>

Fix:
http://www.hostinglife.com/cpinfo/cpanelvuln.php

Hi !

when I check securityfocus mailing list as usually I see mail says there is problem in cPanel I clicked on it and I see this
<removed 'sploit>
see this topic
http://forums.cpanel.net/showthread.php?s=&threadid=21456

well i think the guy who found this bug i think he is from saudi arabia doesn't matter

the important thing is any one know any thing can help us please post it


OpenSource

http://forums.cpanel.net/showthread.php?s=&threadid=21456

can you post http://forums.cpanel.net/showthread...;threadid=21456 in here so we can see it as people can not view it to help you with out registering, thanks

Hello all,
New Exploit has been found in Cpanel 8.*.*

Impact: Dangerous, Can allow any person to run commands as root

Fix:Working on one

Affects:
All version of Cpanel with the Reset Password Feature

<removed>

Thanks

Paul Fleming

As reported @ cpanel.net:

http://forums.cpanel.net/showthread.php?s=&threadid=21456&

Yeah definitely a problem. Especially since that reboot function works.

FIX: Disable under Tweak Settings

Please remove exploit code.

Wish I could, Cant edit my post now

sorry can't do that the topic has been removed :(

The topic indeed has been removed - likely because rather than notifying cpanel it was just posted to their forums, thus opening everyones cpanel servers up to compromise. The original poster should have just reported it and gave cpanel a chance to fix it.

However, it's out now... Make sure you disable that reset password functionality in tweak settings if you have it currently on, folks.

I know this will cause a MAJOR problem for alot of hosting companies.

Threads merged.

cpanel 8 of what, jsut vbulletin?

Originally posted by Giaguara
cpanel 8 of what, jsut vbulletin?
Cpanel, The web hosting control panel

Originally posted by PaulTech
FIX: Disable under Tweak Settings

Where exactly is "Tweak Settings" ?

Originally posted by timechange.com
Where exactly is "Tweak Settings" ?

Under WHM/Web hosting manager

So that can be changed only by those with access to WHM? The basic CPanel does not give access to WHM by default.

Reported for example to be removed

* edit - lol i know the mods are quick, but never had a 15 second response before, super Dennis :stickout:

When you log into WHM, you're greeted with:Security A Security hole has been discovered in the password reset feature, you should disable it here (http://Server_IP/scripts2/tweaksettings) until a proper fix can be arranged.

Also the example does not necessarily work, as the path in question is password-protected. In theory, the only one that can use the exploit is the admin/reseller.

It's not a protected path

Heh, input validation is overrated. :)

I think that "chmod 000 /usr/local/cpanel/base/resetpass.cgi" should work around this.

It is on my box.

Indeed - making it non-executable and toggling the change password feature should fix it.

Also, yanked the links to the exploit till cpanel gets this resolved, at least.

It can't be lol, the whole idea is it allows you to reset the pass if it's forgotten or lost.

I guess this applies to 9.0 also? nothing on the cPanel forums.

That link is no longer valid :(

It was removed from the cpanel forums (http://www.webhostingtalk.com/showthread.php?s=&threadid=246788)

Crazy stuff. Glad I had it turned off on all but one box (one that I just got and was setting up)

Do yourself a favor for now if you run cPanel:

chmod 000 /usr/local/cpanel/base/resetpass.cgi

Plus whatever you need to do to make sure it doesn't get set back (chattr it or whatever until you know cPanel has a fix). Trust me... it's a good idea until they patch it.

from what i understand cpanel takes out the / and spaces from the command so a hacker cant even run anything worthwile without either of those

Can restart the server. I think thats cause enough to disable the feature till its fixed.

Looks like edge and current have the update now:
If you are using EDGE or CURRENT, you can update to a new build which has a proper fix by clicking here. If you are running STABLE or RELEASE, you can also use this option to disable the password reset function.

Might be a good idea to update if you intend to use this :)

Originally posted by dan_erat
Heh, input validation is overrated. :)

I think that "chmod 000 /usr/local/cpanel/base/resetpass.cgi" should work around this.

also do this

chattr +i /usr/local/cpanel/base/resetpass.cgi

cpanel might also try to restore the permissions

Hmmm I just tried the "update cpanel" option ("If you are using EDGE or CURRENT, you can update to a new build..."), though the update stalls at 20%. Anyone know if I should just retry a few times, or what should I do?

Thanks,

Give it some time, disable the feature in the meantime, and have it go again later. The update servers are likely getting slammed right now.

FWIW, I updated a buncha boxes earlier when the update was released, no issues then... So it works, just likely swamped.

Thanks David, though I dont see the option to disable "reset password" in the "tweak settings" page. There is no check box for this, at least not clearly marked.

Nevermind, found it. It isnt checked by default for me, so no biggie. Thanks.

If you have a version that has the feature in question, it should be listed as 'Allow cPanel users to reset their password via email' in 'Tweak Settings'. I don't know if that feature has made it to 'Stable' yet.

'Overquotingly yours',
-David

Originally posted by thedavid
If you have a version that has the feature in question, it should be listed as 'Allow cPanel users to reset their password via email' in 'Tweak Settings'. I don't know if that feature has made it to 'Stable' yet.

'Overquotingly yours',
-David

It is in the latest stable release.

New post to Bugtraq:

cPanel Security Advisory - CPANEL-2004:01-01

---------------------------------------------
Date: Thu Mar 11 2004
---------------------------------------------

---------------------------------------------
Summary:
---------------------------------------------

Due to a recently discovered bug, it will be necessary for users
following the STABLE and RELEASE branches to disable the feature that
allows users to reset their password. For those following the EDGE and
CURRENT branches, the latest updates have been fixed. A review of the
RELEASE tree is still pending, and fixed RELEASE builds may be available
in the next 48 hours as well.

---------------------------------------------
Description:
---------------------------------------------

The feature "Allow cPanel users to reset their password via email",
found in WebHostManager in the "Tweak Settings" section allows for a
cpanel user to run some commands as the root user.
This hole is built in to all compiled cpanel binaries and as such can
not be "patched".

For users of STABLE and RELEASE branches it is strongly suggested that
you disable this feature.

For users of the EDGE and CURRENT branches, the latest builds have been
updated and compiled without this bug.

---------------------------------------------
References:
---------------------------------------------

http://www.securityfocus.com/archive/1/357064/2004-03-08/2004-03-14/0

---------------------------------------------
Affected Systems:
---------------------------------------------

All builds on all platforms are vulnerable up to and including (9.1.0
build 34), all builds after that have been fixed.

---------------------------------------------
Fix Details:
---------------------------------------------

For STABLE and RELEASE suers, to remove this feature from user's
cPanels, log into WebHostManager as root, open the "Tweak Settings"
page, and uncheck the box next to "Allow cPanel users to reset their
password via email" and save the change.

For EDGE and CURRENT users, update cPanel. The suggested method is to do
the following as root from the shell.

# /scripts/upcp

You can also do this from inside WebHostManager.

This should update the cPanel and WHM package to the latest version
available where this hole does not exist.

---------------------------------------------

If you find there is still a problem with this after updating to the
versions mentioned above, please file a support ticket with the cPanel
Technical Support team at http://support.cpanel.net/.

People really need to realize the impact of this, I'm really surprised it hasn't picked up momentum yet as far as the attention received on here.

Patch your servers people, IDS systems are already detecting attempted violations on patched systems. People ARE netblock scanning for this exploit.

I would fear the largest fallout from larger unmanaged providers like EV1, ServerMatrix, and Nocster.

If you login to WHM it will now display a message telling you how to deal with this problem.

the worst possible outcome is a reboot as far as I know.... not to say thats not bad, but it could be much worse

Originally posted by MaB
the worst possible outcome is a reboot as far as I know.... not to say thats not bad, but it could be much worse
Yeah, but that's only from what they heard of. And lets hope that as far as it goes.

From what I'm seeing, you can do quite a bit more than reboot the box with this thing. This is gonna be a bad one for a lot of people.

Thankfully, we didn't enable that feature on any client machines, as it just felt wrong to me in the first place.

Originally posted by Andrew


Thankfully, we didn't enable that feature on any client machines, as it just felt wrong to me in the first place.

Great foresight there Drew :D I'm glad I got the user/pass pop up window instead.

Yep, good ole 'access denied' is what we all should see if someone doesn't remember their password. Anything else is just ASKING to be screwed with.

Originally posted by Andrew
From what I'm seeing, you can do quite a bit more than reboot the box with this thing. This is gonna be a bad one for a lot of people.

Thankfully, we didn't enable that feature on any client machines, as it just felt wrong to me in the first place.

Did the same thing here when I saw the new feature, I thought it was to risky and I didn't want to mess with it.

Hi All,

Just a post to inform that a Security issue has been discovered within Cpanel within the last hour or so Edge/Current and if you sign in to your WHM you should be able to review this information.

It is Recommended that you upgrade WHM/Cpanel to the latest version :D

Hope this helps guys.

Originally posted by 4Hosted
Hi All,

Just a post to inform that a Security issue has been discovered within Cpanel within the last hour or so . . . Or several hours ago. :)

I guess they're too busy to review security when they're working hard to release "cPanel Pro" - image resizer and a few other php/perl script.

Why don't they listen to what people what! Time and time again people ask for better bug testing and Q&A instead we get a laughable "Cpanel Pro".

Originally posted by MattF
I guess they're too busy to review security when they're working hard to release "cPanel Pro" - image resizer and a few other php/perl script.

Why don't they listen to what people what! Time and time again people ask for better bug testing and Q&A instead we get a laughable "Cpanel Pro".

Marketing hype. :eek:

Thats why the best management is hand management. Time and Time again I heard "im running a whm because i dont know much about linux/unix"

These people should NOT use 3rd party software because they rely on it. People see hosting as quick money, "I can put a server together and manage it from a web gui and make money"

these people are helping hackers and spammers. their machines get hijacked and now we have more headaches on the web.

Cure. Delete these damn control panels, break out the unix shell book and learn. ;)

"Control panels" are not only useful to sysadmins; some features save time - but also to the clients. Unless you want to give them full shell access to do the same things the hard way.

I would rather take the extra 30seconds to type "passwd" than risk my server gettnig hijack.

I've been hosting for 4 years now and my customers are just happy with my service. They understand the extra security i take to insure their sites safe and up.

That means more to alot of people than making things "Easy and Unsecure"


I also am i unix engineer for a Telecom / Datacenter and all of our unix machines are managed by us, seems those customers dont have a problem either.

I guess its all in the customer and if their paying $5 a month ****, give them a control panel, if they get hacked, hell you get what you pay for.

So you're afraid to run software on your box because your box isn't secure enough? What's your point here?

The problem isn't the control panels. It's the low cash barrier to enter this business and the low bucks for dedicated servers. That's giving us a whole lot of 'admins' who don't know crap about how to do anything that WHM doesn't do for them.

If you want to complain about that, fine, but don't give us this line of BS that all control panels are evil because you don't use them.

Back in 1997 there were probably one or two home-grown "control panels" available; to the end user like me it was indespensable to be able to perform functions such as see stats, edit SSI, password protect directories etc over the web. I'm not going to argue that doing that from the shell is impossible but it takes less time and effort via a well-thought UI.

"So you're afraid to run software on your box because your box isn't secure enough?" No i wont run them because the make your box unsecure.

In the last 5 mins. 5 more exploits released for cpanel 8.** and 9.0.1

Now what BS am i feeding you? Its a fact.

Also Andrew, if you look at the cpanel code, theres loads of bad code.

to many system("command", $value); and hes not declaring where $value comes from. Easy inject.

root@host [/scripts]# egrep 'system\(.+\$' * | wc -l
515

Once im finished with the POC's i will contact the developer.

If VBulletin can have their code independently audited then surely cPanel can.

Wow...

Cpanel is issuing an automated update to those servers with automated updates turned off:

http://forums.cpanel.net/showthread.php?s=&threadid=21533

That's crazy! I didn't even know the software had that capability...

Matt, i think he needs a audit. Theres tons of issues i see that maybe he just missed or he never revisited the code.

http://forums.cpanel.net/showthread.php?s=&threadid=21533&perpage=15&pagenumber=1


that's just ridiculous... it didn't even happen at the announced time! Just spend way too much time fixing cpanel boxes during the day.

And for all you techies out there. Check how they do the fix, a hint:

ps -ef|grep manual

or

ps -ef|grep cp


:angry:

i bet their servers are quite over loaded with all these connection.

Originally posted by hostuknet
i bet their servers are quite over loaded with all these connection.

can you reach cpanel.net?

I can't; I'm unable to ping 216.118.116.105 (web/DNS server) or 216.118.116.106 (their other DNS server).

$ telnet www.cpanel.net 80
(no response)

Isn't it funny how nobody actually used the exploit (yet), but cPanel effectively messed up several servers.

Hmm, what's worse?

:angry:

I'm sorry, but I just am so p.o. with cPanel right now. Manual = manual.

Heh, I guess I'm lucky that their site appears to have died before it got a chance to try to upgrade my servers.

Originally posted by idologic_dh
Isn't it funny how nobody actually used the exploit (yet), but cPanel effectively messed up several servers.


Cpanelthemes was taken by it, from what kosmo said.

http://cpanelthemes.com/

Allright, so it was used then :) Still, I was being sarcastic. I am really disappointed with the fact than an upgrade was run when I don't want anything to automatically being run.

I had manually fixed the problem on most servers.

Ah, well :rolleyes:

:D Not arguing with you.. I had the thing disabled to begin with, and when it came out just chmodded it and chattr +i'd it. I don't like the idea of remotely updating servers that have elected not to update automatically.

Originally posted by thedavid
:D Not arguing with you.. I had the thing disabled to begin with, and when it came out just chmodded it and chattr +i'd it. I don't like the idea of remotely updating servers that have elected not to update automatically.

yes and did you check how they did the update?.... hint.

Doesn't the auto update seem dangerous? If cpanel.net is compromised, it mean all cpanel server will get compromised by getting autoupdate with bad packages. I didn't know they can auto update even if I set it to manual update. This hidden feature seem like trash to me.

Originally posted by idologic_dh
yes and did you check how they did the update?.... hint.

Naw, been dealing with a lot of other issues today :) So long as cpanel's up and not compromised, I'm happy.

PM me the info about this 'auto-update' thing though if you would. It's kinda disconcerting...

Originally posted by thedavid
Naw, been dealing with a lot of other issues today :) So long as cpanel's up and not compromised, I'm happy.

PM me the info about this 'auto-update' thing though if you would. It's kinda disconcerting...

I'm still verifying some things and I've pm'd two people who I hope can check their systems. Just do the ps things and see what comes up.

Nothing here - I updated very early in the AM though. So might not affect the ones that I admin...

I just manually updated... thankfully everything seems to be OK so far ;)

Originally posted by thedavid
Nothing here - I updated very early in the AM though. So might not affect the ones that I admin...

Yes, I can confirm that.

The thing is...they used the exploit itself to deploy these updates:

root@zoidberg [/usr/local/cpanel/logs]# cat access_log |grep upcp
216.118.116.100 - [12/Mar/2004:11:56:44 -0500] "GET /resetpass/?user=|"`printf$
{IFS}"%bscripts%bmanualupcp"${IFS}"\\057"${IFS}"\\057"`"| HTTP/1.0" 200 0 "" ""
216.118.116.100 - [12/Mar/2004:11:56:46 -0500] "GET /login/?user=|%22%60/script
s/upcp%20manual%60%22| HTTP/1.0" 401 0 "" ""
216.118.116.100 - [12/Mar/2004:13:43:42 -0500] "GET /resetpass/?user=|"`printf$
{IFS}"%bscripts%bmanualupcp"${IFS}"\\057"${IFS}"\\057"`"| HTTP/1.0" 200 0 "" ""
216.118.116.100 - [12/Mar/2004:13:43:42 -0500] "GET /login/?user=|%22%60/script
s/upcp%20manual%60%22| HTTP/1.0" 401 0 "" ""
root@zoidberg [/usr/local/cpanel/logs]#

Actually, that's pretty cool, I think, but it does mean that nothing should have updated if you did, in fact, patch your box by chmodding resetpass to 000.

Originally posted by Andrew
Actually, that's pretty cool, I think, but it does mean that nothing should have updated if you did, in fact, patch your box by chmodding resetpass to 000.

Correct, not all boxes were hit... (now that I have my coffee I'm happier), but still enough to make me p.o.'d

The bottom line however is that they should not do this. I understand the thought behind it, but still, manual is manual.

Btw, I love futurama...

But they just did you a huge favor, as by tonght there are going to be bots scanning all over the place to exploit this. They just made sure that all vulnerable machines were patched, so that can't happen. Otherwise, all the machines that were just upgraded would have been rm -rfed by morning most likely.


<edit> forgot...ya Futurama rules!:D </edit>

Originally posted by Andrew
But they just did you a huge favor, as by tonght there are going to be bots scanning all over the place to exploit this. They just made sure that all vulnerable machines were patched, so that can't happen. Otherwise, all the machines that were just upgraded would have been rm -rfed by morning most likely.


I hope I'm missing the sarcasm there :) I was patching the boxes already, that's why I noticed what was going on an intervened.

From a geeky perspective it was great idea, but from a business perspective it wasn't. I'm not that upset with the fact that they did it, but more with the fact that I'd like to know! Besides, 3 machines didn't even come back up and with cpanel.net being down shortly, how many machines did not finish their upgrades?

:)

I gotcha...but what if you missed one or something...then what? And what about the folks who didn't know because they were out of town or something and didn't log in to whm?

As long as they didn't upgrade boxes that weren't vulnerable, I don't see any problem with what they did.

Originally posted by Andrew
I gotcha...but what if you missed one or something...then what? And what about the folks who didn't know because they were out of town or something and didn't log in to whm?

As long as they didn't upgrade boxes that weren't vulnerable, I don't see any problem with what they did.

But it was set to manual. Is it not my choice then to manage the box myself and to take on the responsibility that it's secure? Of course it is.

This should have been opt-in, not forced. Anyhow, I understand it will be a blessing for a lot of people, but I still think it should have been announced (in whm's news perhaps? I might have missed it though).

Also, there was an announcement re. the problem yesterday in the wHM news, why not announce the upgrade as well?

Anyhow, I guess we agree in the fact that yes, from a technical view it's interesting, yes for a lot of people it will be a blessing, but I still maintain that "manual" means keep your hands of my machine! :D

Originally posted by Andrew
Actually, that's pretty cool, I think, but it does mean that nothing should have updated if you did, in fact, patch your box by chmodding resetpass to 000.

No. There was another exploit of the same caliber that would have left you vulnerable if you didn't update. That other exploit info was released earlier today.

Originally posted by BigGorilla
No. There was another exploit of the same caliber that would have left you vulnerable if you didn't update. That other exploit info was released earlier today.

I think we're all agreeing that cPanel should communicate better? I would have minded a lot less if we were notified (using WHM news).

Then again, I might have missed it, so I'm not saying it wasn't there.

Yes, I agree. I only noticed because I saw the exploit and tested it. So I had shutdown cpanel and was in the process of figuring out what I could do to fix it, before seeing this on my server:

Broadcast message from root (Fri Mar 12 14:46:12 2004):

cPanel Layer 2 Update Commencing

Originally posted by BigGorilla
No. There was another exploit of the same caliber that would have left you vulnerable if you didn't update. That other exploit info was released earlier today.

Indeed - I assume you mean the one posted to bugtraq around 1?

I wish cpanel'd have someone audit their auth code if it's this big of a problem...

Hello,

I just find out, there is update patch at cpanel WHM, so just click on it, and it will solve the security problem.

Cpanel looks so cool to me, coz I do not know much about server stuff, it looks like pretty easy to use. Very user friendly, agree?

Anyone else having problems displaying the WHM page?

I log in ok, but I'm just getting a blank page as it tries continuously to load.

Just the news section correct? That happens if cPanel is down.

Know what, I had something wired happened to WHM. When I login to WHM, it will reboot my server, is there anyone has that problem?

Nope - everything.

Originally posted by andrewgmol
Anyone else having problems displaying the WHM page?

I log in ok, but I'm just getting a blank page as it tries continuously to load.

/etc/init.d/cpanel stop
cd /usr/local
mv cpanel cpanel.old

/scripts/updated
/scripts/upcp

Then move all the mailman databases and skins back in
/usr/local/cpanel.old/base/frontend
/usr/local/cpanel/3rdparty/mailman

/etc/init.d/cpanel start

Anyhow, if you do this it's at your own risk...

Ouchy!
Need to check versions with my host I think.

http://www.securityfocus.com/archive/1/357172/2004-03-09/2004-03-15/0

Yeah definatly something not to look over.

I love my current host when it comes to issues like this, was informed by email about this a few days ago.

Joachim

There's just been another post to SecurityFocus's bugtraq list by the same person, claiming that a similar vulnerability exists in cPanel 9.1.0's login program. "chmod 000" isn't really an option here. :/ I'm unable to reproduce the problem here with 8.something... Oddly, the server sends me a .exe file when I try to inject shell commands into the user variable. Anyone else seeing this?

Guess I should've gone with Plesk. :(

Originally posted by yado
Yeah definatly something not to look over.

I love my current host when it comes to issues like this, was informed by email about this a few days ago.

Joachim A few days ago? That would be quite the trick since the security warning was just posted yesterday and Cpanel just posted and provided the resolution for this issue today.....

Merged another thread...

One word.

Unacceptable.

Ya. We did have it disabled on our own boxes. But for our client's we let them decide. But it sure caught us scrambling for a while. We caught that Arab's email to the security list asking if it was a problem... so we do have notice of it a bit earlier.

Still, it's getting tired.

There are tons more pages cpanel has yet to fix.

Since a moderator already posted logs show one exploit, i take it i can post this..


http://ip:2082/login/?user=|"`id`"|

Ask yourselfs now, do you feel safe running cpanel? i only express my concern as a unix engineer. I hate to see servers get hacked and downtime.

This can be called from 500 different script calls.

I strongly suggest disabling cpanel until all bugs have been fixed.

Originally posted by chrisS
I strongly suggest disabling cpanel until all bugs have been fixed.

So I guess we'll have it disabled forever :rolleyes:

It's sad really... You'd think the cPanel guys would be extra security-conscious when it comes to a password reset script.

We've been looking for a good cPanel replacement for a while. We're now considering writing our own.

-Russ

We're now considering writing our own.


A lot of companies have tried to with limited sucess, you have to take into account the ongoing maintanence etc... A beter idea would be a group effort from a consortium of companies or even open-source.

yupapa, seems to be successful in their control panel =)

One word.

Unacceptable.


Exactly. It seems people at this forum do understand the severity of the situation, hopefully now full code review and code security audits will become the norm at cPanel. I look forward to (hopefully) more "stable"/secure updates.

The reception at cPanel by a few individuals is quite surprising. There are some people suggesting if we don't like it leave, but as someone pointed our clients are familar with cPanel and our plan offerings based around cPanel.

Well. This latest issue brought them a lot of flak and they are taking action:

+-------------------------------------------------------------+
Fri Mar 12 23:04:02 EST 2004
9.1.0-EDGE_76 (i686)
---------------------------------------------------------------
lock tree for security audit
---------------------------------------------------------------

Let's hope something good comes out of it.

I'm sure it will. When others look over code they find more and things that were missed.

For all them people who run cpanel and paid for it.. they should have plenty of money to pay someone to audit their code.

FreeBSD hasn't got "chattr." What should I use in it's place?

In FreeBSD you need to run:
chflags schg /usr/local/cpanel/base/resetpass.cgi

hi,
my servers are running WHM 8.5.4 cPanel 8.5.4-R72
witouht password reset feature. Is there a security risk?
I don't think so. Please correct me if wrong.

Thanks a lot

uh-oh....

http://www.securityfocus.com/archive/1/357268/2004-03-11/2004-03-17/0

Originally posted by hostito
uh-oh....

http://www.securityfocus.com/archive/1/357268/2004-03-11/2004-03-17/0

This has already been fixed in the recent builds, same time as the other one was.

Try it on your servers and see ;)

ok, good, I just saw it come across my mailing list and got a bit jumpy :D

That morning coffee did not help either, it was just kicking in...

ok seems only ver. 9 and vers.8.x.x with password reset feature has this problems....

Originally posted by WWWhost
ok seems only ver. 9 and vers.8.x.x with password reset feature has this problems....

Yes update and fix.