If you use or are thinking about using WHMReseller, this post may be of interest to you. To the uninitiated: WHMReseller is 3rd party software which is not developed, maintained, or supported by the company known as cPanel. It is used exclusively on cPanel servers, however.

I've just sent 5 separate security advisories to cert.org regarding WHMReseller 3.20 - 3.212. The vendor (Deasoft) is aware of at least 4 of these issues, and cert will make them aware of the fifth if they aren't already.

4 of the issues are local vulnerabilities, 2 of which require having a valid Master Reseller account to take advantage of. However, one of those issues doesn't actually require a valid Master Reseller account on cPanel servers at this time, due to another issue with insecure handling of 3rd party software installed by default on all cPanel servers (I've notified cPanel about that issue, but haven't heard anything back about it and at least 8 new EDGE releases have been pushed since then. Although they've been quick to address very similar issues in other 3rd party software with this type of problem before, strangely it doesn't appear this one is going to be fixed).

The fifth issue could be used remotely to gain access to a server. Unauthorized local access really isn't something you want on a box running WHMReseller.


Without giving too many details, but to give an idea about the issues:


there is a local root in WHMReseller (requires Master Reseller access)



there is a way to view any file on the box (requires Master Reseller access, but insecure handling of a specific 3rd party software on cPanel servers makes this much easier to pull off)



there is a way to remotely gain access to a box running WHMReseller. This could be done very quickly (a few minutes), or it may take some time (a few days). The time that it takes depends on a few things. If you don't have cPHulk enabled, you may want to enable it which should make this attack near impossible to do. If anyone ever asks you when you installed WHMReseller, tell them "1955". I'm only half joking :-)


What can you do to protect yourself if you use this software? Not much right now really. The good news is that you can protect yourself from the remote access issue. My personal recommendation, assuming that it does not break anything, would be to change the password on the default "whmrback" cPanel account that WHMReseller creates when it's installed. This can be done as root, via WHM -> Password Modification. Again, I don't know if that would cause any issues. I suspect, with reason, that it might, but as long as it doesn't cause any major problems it's worth doing in my opinion. Again, enable cPHulk if you're not using it. It would be a good idea to restart cPanel after doing so. Enabling cPHulk starts the daemon, but in my experience it doesn't actually do anything unless the cpanel service is actually restarted.

That only clears up 2 of the 5 issues, however (and I suspect there are more than 5 security issues in this software).

The reasons for this post are twofold:

1. To inform anyone using this software that they are at risk, and
2. To make users of this software aware of cert's disclosure policy, which can be found here: http://www.cert.org/kb/vul_disclosure.html

That could affect users of this software, as you may see something - possibly with more details - from cert about this in 45 days.

Hopefully having cert coordinate with the vendor will cause some patches to be produced. I don't use this software, nor do any of our customers, so it's up to those that do to keep up to date on it. I'm done breaking it, had my fun.

Mods: I've posted this in the "Hosting Software and Control Panels" section because most of the talk about WHMReseller here appears to be done in this section.

Many thanks but actually there is no Alternative for this software. so we have to use it on own risk

Just to set the record straight.

We have addressed (solved) all of the above mentioned security issues.

We are also currently completing a MASSIVE upgrade of ALL of the WHMreseller code to convert it from C to C++. This upgrade is the biggest code update we have ever made and will remove all use of the following older C functions:

sprintf()
printf()
strcpy()
strcat()
gets()

These will all be replaced with new C++ string handling functions and should help to remove any remaining memory related bugs that some larger installations are experiencing. We expect after this major upgrade is complete that WHMreseller will be highly reliable and secure. We are about 50% of the way through updating the code and expect to be complete within a week.

Just to set the record straight.

We have addressed (solved) all of the above mentioned security issues.

We are also currently completing a MASSIVE upgrade of ALL of the WHMreseller code to convert it from C to C++. This upgrade is the biggest code update we have ever made and will remove all use of the following older C functions:

sprintf()
printf()
strcpy()
strcat()
gets()

These will all be replaced with new C++ string handling functions and should help to remove any remaining memory related bugs that some larger installations are experiencing. We expect after this major upgrade is complete that WHMreseller will be highly reliable and secure. We are about 50% of the way through updating the code and expect to be complete within a week.

In previous thread you said that the new version is coming at the end of August version WHMReseller 4.0
but there is no new .....
also why you do not have Team work or support team to help you..

WHMreseller does not bring in a lot of money. If everyone was willing to pay twice or 3 times as much for it then yes maybe we could get another staff member. Are you willing to pay twice or three times as much?

Let me explain the amount of work involved. WHMreseller is made up of 22 separate C programs. We are converting all of these to C++. Most of these are about 30KByte in length (1500 lines) - but the largest is 730 Kbytes in length (21480 lines). Thats a LOT of code - we are updating approximately 50000 lines of code. We would like to finish it faster but as I said its a lot of work.

Just to set the record straight.

We have addressed (solved) all of the above mentioned security issues.


This isn't true. By default, new accounts created via WHMReseller still have the wwwacct string written to the server in plain text, in a world readable file that exists in a world readable location. This means that any accounts created through this software by default can easily be accessed, since the usernames and passwords of the accounts are available to anyone with local access. This was just tested on the latest version (3.214). Nothing has changed in that regard. All user data remains at risk, and quite unnecessarily so.

Have fun:

<<Removed>>

It's still rootable by master resellers too. bjdea1, there was only 1 root that I reported to you a while ago, so you know where to look for the problem and the fix.

WHMreseller does not bring in a lot of money. If everyone was willing to pay twice or 3 times as much for it then yes maybe we could get another staff member. Are you willing to pay twice or three times as much?


If it was secure, worked as it should and you could support it well then yes, I would.

Instead we're having one custom coded, which I'm sure is costing a lot more than buying a license from you would.

We are almost about to release the next new version - 3.3

This new version is completely written in C++.

jpetersen - how about some acknowledgment of the work we have already done? Its easy to sit back and criticize when you're not the one doing the work. I hope you're not one of these people that are incapable of saying anything positive. As you should know, security is never an area of development that can ever be considered "complete", its always a work in progress. Even windows and Linux operating systems require constant updates.

Removing the entries from debug log files is a fairly easy fix, but I wonder - will you be able to publicly acknowledge that this has been removed and corrected? Can you bring yourself to say something positive about our software? Be interested to see if you are able to acknowledge anything positive thats been done.

We are almost about to release the next new version - 3.3

This new version is completely written in C++.

jpetersen - how about some acknowledgment of the work we have already done? Its easy to sit back and criticize when you're not the one doing the work. I hope you're not one of these people that are incapable of saying anything positive. As you should know, security is never an area of development that can ever be considered "complete", its always a work in progress. Even windows and Linux operating systems require constant updates.

Removing the entries from debug log files is a fairly easy fix, but I wonder - will you be able to publicly acknowledge that this has been removed and corrected? Can you bring yourself to say something positive about our software? Be interested to see if you are able to acknowledge anything positive thats been done.

He hasn't said anything negative. He has pointed out security issues.

The majority of security issues he raised have been addressed and what I'm asking for is some acknowledgment of these patches. I would like people to know that we have been doing something to address these security issues. I would like it to be put on the record that we have removed a lot of security issues that he raised earlier. I hope jpetersen can acknowledge something positive we've done, as a kind of confirmation we are working on improving security. The remaining issues are being dealt with now with the conversion from C to C++.

Anyway...if he doesn't want to acnowledge any improvements then thats fine, we'll just keep doing what we're doing anyway.

Also I don't have any proof of the ability of Master Resellers being able to gain root access. The method jpetersen showed us did not grant root access when we tested it on our servers. If he could clarify his claim then we could verify this security issue, but currently as far as we're concerned its still an unverified claim.

If jpetersn is going to take it upon himself to go around forums posting claims of severe security problems with our software, which is damaging to our business name, then surely he would be fair spirited enough to then acknowledge improvements?

We don't like our software product and business being singled out and labelled publicly as being "bad". We have addressed those security issues we have been able to address at this time. The remaining issues will be removed as part of the conversion from C to C++. The one debug file still containing a password in its logs can be solved quite easily and will be in version 3.3. I would like to add that this debug logging can be turned off by the root user, which will easily remove this last logging leak now while we remove it by default in version 3.3.

So my point is that we would like some acknowledgement of improvements to restore confidence. I would also like to report that we have had no reports from any users of any security breeches. So this last unverified claim of Master Resellers being able to gain root access - we've never seen this happen and we'd really appreicate jpetersen clarifyig his claim as we cannot reproduce it.

Also jpetersen please do not post the actual details of any security issues in public forums, thanks.

The method jpetersen showed us did not grant root access when we tested it on our servers. If he could clarify his claim then we could verify this security issue, but currently as far as we're concerned its still an unverified claim.

Ah bjdea1, you continue to try to draw the unwanted attention away from your product and put it back on me very negatively as you've done since June 6th when I reported the first issue to you in private. That's ok, I don't take it personally :) I've stated from the start that it's never been my intention to try to make anyone look bad, since you stated that you felt otherwise. As the days turned into weeks, and the weeks into months, and as bugs weren't being fixed, I thought it would be nice for those using the software to know the risks. I know that I am personally grateful for those that do the same for any software that I use. However, everyone has different opinions, and that's fine.

Your product has not been singled out any more than AtMail, or cPanel, or CSF, or DirectAdmin, or WHMEZLogin, or any other software I've had my way with. Of all of those pieces of software, how much public information can you find from me on any of those other than perhaps some "you should upgrade if you use this software" notifications here and there? AtMail is the only answer, because it took public disclosure for them to implement 2 simple calls to chmod() in order to protect the integrity of their software. (As an aside, last I checked, they only implemented 1, continuing to leave the admin user hash in a world readable file on the server). That was 2 months after the issues were first reported to them.

The complete opposite end of the spectrum is to simply release exploits to the public without any vendor notification and time for them to patch. I don't agree with that, because it puts people at additional risk unnecessarily. Instead, I choose to privately notify developers if I find a security related bug, as I first did for you back in the first week of June of this year. It is now almost the beginning of October, which is why I've gradually continued to put more information out there about the risks associated with WHMReseller. Criticizing isn't my goal - informing people is.

If you feel the local root is an unverified claim, you've always had the option of asking for more information, despite never having done so for the past almost 3 months now.

You wanted feedback, so here it is, in my personal opinion of highest to lowest risk:

Bug 1) Master resellers can execute arbitrary commands as root: unpatched

Bug 2) Local users can steal credentials of other users' accounts created via WHMReseller: unpatched

Bug 3) An unspecified attack vector allows master resellers to view the contents of any file on the box: patched[1]

Bug 4) Generate every password possible (past, present, and future) for the whmrback account: status unknown[2]

Bug 5) Obtain the default password to the whmrback account: status unknown[3]


[1] Initial testing shows that this appears to be fixed.

[2] This being fixed or not depends on how the whmrback account password is being generated now. As I haven't had any feedback from you about the fixes for anything, and as your code is heavily obfuscated in most places, and as this one took some time to figure out, it's not in my interest at this time to try to figure out how the password is being generated now. If you're using more entropy now than you were before, this may be fixed, depending on the method being used.

[3] Similar to [2] above, it is unknown - to me - if this issue has been addressed. If you are still using the same method as before (I won't go into details here, but you know what I'm getting at), then this may still be an issue. Otherwise, it may be fixed.

So, there you have my reasons for not having commented on the progress of the security of your software. 2 of the 3 worst bugs remain unpatched, 1 appears to have been addressed, and the other 2 I can't comment on since I simply haven't looked at them, and won't be doing so since they required a bit of time to investigate initially. Since you know your code base for this software, the determination is yours to make on the last 2.

Offers of assistance with 0 requests for compensation or any other strings attached have always been extended to you, you know this. If you want advice on fixing the local root, all you need to do is ask. This is a positive for your software, bjdea1. Many vendors are not immune to bugs at some time or another. If I thought you truly weren't interested in fixing the issues, I wouldn't be posting this. Your last few replies, while still a bit confrontational :) show that you are concerned and are still interested in having feedback. So there you go. No actual details have been posted.

I'm glad you've acknowledged the areas that have been patched and improved.

Yes I would like more information about any possible root exploits, but please don't send this infomation to our email or support ticket system. Could you please send the information to me in a PM.

I would like to point out to everyone else here that none of our clients have reported any security issues. So it seems to us that whatever hole you're saying still exists, it can't be too obvious to people "out there in the real world". But whatever it is you've found - yes please do provide more information about it via PM.

So it seems to us that whatever hole you're saying still exists, it can't be too obvious to people "out there in the real world".

My threshold for your sarcasm has finally been reached. Besides, you're right: injecting metacharacters into shell commands (http://www.google.com/search?q=shell+metacharacter+security) isn't a real world issue. 1,000 apologies for having spent so much of my time wasting yours.


$ ./whmreseller_local_root.pl
[ ]
[ Tested on WHMReseller 3.20, 3.211, 3.212, 3.214. ]
[ ]
[ This can be done in 2 easy steps via the web browser. ]
[ ]
[ jailshell will not save you here. ]
[ ]
[ This bug was first reported on 07/04/2008 (the same ]
[ day it was found), and has been reported - and ]
[ acknowledged - multiple times since then. To date, it ]
[ remains unpatched. ]
[ ]
............
sh-3.00# id
uid=0(root) gid=0(root) 509(mars)


My work is done here, so long :)

You just like fighting, even another poster in cpanel.net forums said the same thing. Getting useful information out of you has been very difficult and frustrating. I have no problem with you leaving this matter rest, its exactly what we want. Also we don't owe you anything, you took this completely upon yourself from day one. We did not come to you seeking a security audit.

We'll have all this solved soon and I sense that you are aware of that - that's why you're giving up now. Well I think its good that you're finally seeing this is a waste of your time.

You just like fighting, even another poster in cpanel.net forums said the same thing. Getting useful information out of you has been very difficult and frustrating. I have no problem with you leaving this matter rest, its exactly what we want. Also we don't owe you anything, you took this completely upon yourself from day one. We did not come to you seeking a security audit.

I'd personally feel very scared buying software from a vendor who wants to leave a potential security matter at rest.

If he hasn't yet, he should send you the *exact* method that he used to exploit your software so that you can fix it.

If he doesn't clearly send you the method he used to exploit your software then it is his fault but it sounds like he is hinting enough so that we can get the idea. If he has provided you with information and you have not acted, then that is your fault. That situation remains known only to you two as you've asked him not to publicly release any details.

I clearly hope that you pursue this matter and get the information that you need from him. If there is a possible root-escalation vulnerability (as there would appear to be based on the results of his mysterious script), then no one in their right minds would purchase your software.

For the sake of security for people out there who are using your software, I volunteer myself to be a go-between for you guys as it is apparent that there are hostile feelings.

No - the point here is we don't want to deal with jpetersen. We want to put to rest our communications with him.

We are fully committed to securing our software and what jpetersen has posted means nothing. Anyone could write a script to print out anything. When you have someone who makes these claims but never provides proof - what do you conclude? If such an exploit exists why after all this time has he still not produced the evidence? I mean what's this guy trying do? He's going around making a claim of a root exploit but then never backs it up. He has never given us any real proof of this claimed exploit. We have never had any clients suffer from any such root exploit. jpetersen is a completely uncooperative person - there's no point in discussing this with him any further, he seems to want to frustrate and cause anguish for people more than anyhting else. Its like someone saying "Ï know a secret....but I'm not gonna tell ya...haha". Its just immaturity and we can't properly deal with someone whose immature like this.

He's just eating up our time, making people worry and fulfilling his need to feel powerful.

Mods, please close this thread. Steps to reproduce all issues have been provided to the vendor numerous times over the past 3 months despite the vendor's claims (CERT was even contacted at one point to intervene). There is nothing further to be discussed here. Thanks.

We did not come to you seeking a security audit.


[#LMU-709594]: whmreseller bugs
Date: 9/7/2008 4:15 AM
From: Brett Deason

Ok I have patched up all these security holes you found. Thanks for doing this as it helps security for the entire cpanel community. I apologise for my initial cold response and thank you warmly now for taking the time to analyse WHMreseller. Let me know if you find any further holes.

Ticket Details
===================
Ticket ID: LMU-709594
Department: Software
Priority: Low
Status: Closed


Quite cordial in private.

Regarding metacharacter injection - the new version covers this and we're already dealing with it. That's what makes this frustrating - jpetersen doesn't have a clue what we're doing and how much work we've put into upgrading our software from C to C++. Its not complete yet, the old C version is the one that he's analysing.

We've converted over 50000 lines of code from C to C++. He's gone around saying how we've not bothered to do anything - complete rubbish. What we're doing is a FULL overhaul and completely removing fundamental C functions - like gets, sprintf, strcat and strcpy as well as remove other security weaknesses. These functions are almost on every line of code in the old version. We're now using the C++ string handling and manipulating fumctions to replace all these older C functions - it takes time to convert 50000 + lines of code to C++ and run a hosting busines at the same time and having someone go around saying how we've done nothing etc, I've had enough of this guy.

Considering we've not had a single security complaint from any clients and jpetersens info has been patchy (unverified) - we don't consider fixing the old C version as urgent. Instead we want to tackle this fully from the ground up - a complete conversion to C++ is tackling this fully and properly and explains why its taking so long. If we had clients complaining about security problems then we'd deal with these specific issues now - but no one has said anything. If jpetersen provided solid evidence now then we'd deal with it now, but he hasn't. So what we're doing now is re-writing the whole thing in C++, that's what we've decided is the best course of action.

Its aggrivating to us having someone assume we are not doing anything and then posting things publicly in forums and painting a WRONG picture of us. And now here I am having to defend our product in forums and deal with all ths crap.

Anyway -- I hope that makes it clearer. End of discussion.

Regarding metacharacter injection - the new version covers this and we're already dealing with it. That's what makes this frustrating - jpetersen doesn't have a clue what we're doing and how much work we've put into upgrading our software from C to C++. Its not complete yet, the old C version is the one that he's analysing.

We've converted over 50000 lines of code from C to C++. He's gone around saying how we've not bothered to do anything - complete rubbish. What we're doing is a FULL overhaul and completely removing fundamental C functions - like gets, sprintf, strcat and strcpy as well as remove other security weaknesses. These functions are almost on every line of code in the old version. We're now using the C++ string handling and manipulating fumctions to replace all these older C functions - it takes time to convert 50000 + lines of code to C++ and run a hosting busines at the same time and having someone go around saying how we've done nothing etc, I've had enough of this guy.

Converting from C to C++ and replacing string functions won't fix metacharacter injection vulnerabilities. Those will just fix buffer overflow vulnerabilities.

Considering we've not had a single security complaint from any clients and jpetersens info has been patchy (unverified) - we don't consider fixing the old C version as urgent. Instead we want to tackle this fully from the ground up - a complete conversion to C++ is tackling this fully and properly and explains why its taking so long. If we had clients complaining about security problems then we'd deal with these specific issues now - but no one has said anything. If jpetersen provided solid evidence now then we'd deal with it now, but he hasn't. So what we're doing now is re-writing the whole thing in C++, that's what we've decided is the best course of action.

Overhauling everything does not address the immediate possibility of a root privilege escalation which, if it exists, should be address *immediately*. Just because no one is complaining about being hacked by the vulnerabilities does not mean that they shouldn't be fixed. Just because no one has noticed, does not mean that no one has been rooted because of it.

jpetersen - if you claim to have provided the details to the author and the vendor has done nothing, then release the details in public or give it to a trusted 3rd party who can verify the vulnerabilities and communicate it to the vendor.

Its aggrivating to us having someone assume we are not doing anything and then posting things publicly in forums and painting a WRONG picture of us. And now here I am having to defend our product in forums and deal with all ths crap.

You know what - at first I had assumed that jpetersen had provided all of the information and that you were being unresponsive. I now realize that it is your word against his and since all the details are being kept private, there is no way for anyone to know what he has or has not provided you.

Since you guys can't cooperate, the only way to move forward is for jpetersen to give the exploit information to a trusted 3rd party who can verify it or to release it in public.

On a side note, hearing that the software was written in C using string functions without bounds and length checking, without metacharacter injection checking and with password-containing debug logs that are readable by everyone makes me shiver for those servers that are running this software.

We've explained our position clearly - jpetersen HAS NOT provided us with the details of his claimed root exploit. He claims he has written a script that can gain root access yet has nothing to back it up, we've seen no such script. We've asked him to show us the script but he won't.

So we're busy on doing our own work.

Yes I know that converting the software from C to C++ will not solve metacharacter injection - I never stated it would. I stated that we are doing a complete overhaul and that we're already dealing with metacharacter injection (as part of that overhaul). Rather than fix the old C version we want to release the new C++ version which also solves overflow vulnerabilties.

The main point is we want to focus on our total C++ conversion rather than devote our time to fixing an older C script. After many months work we are on the verge of completion of the new C++ version - its a matter of days away from being released. There's no point going back and fixing the old script anymore now. Our software has automatic updating built into it, so as soon as we release the new version - all installations will be updated over the following 24 hr period - once clients approve the update from their console.

What we'd like is for people to accept that we are in the best position to decide how to deal with our own software development. We don't encourage others to take it upon themselves to try to direct our activities. No one else really knows the situation and are really just making assumptions.

jpetersen HAS NOT provided us with the details of his claimed root exploit

Yet you fixed the symlink attack, which you were informed about in the same notification as the local root. Being dishonest isn't necessary here. In all the time it's taken to call me a liar in this thread, the afflicted variable could have been sanitized.

I would appreciate it if this thread could be closed. We have explained our position enough times now to make the situation clear.

WHMreseller version 3.3 will be released in the next few days. At that time this entire thread will be irrelevant and OLD NEWS. To everyone concerned - lets all move ahead and stop this discussion. Surely we all have lives to live and other things to do.

jpetersen HAS NOT provided us with the details of his claimed root exploit.

Below are screenshots of ticket LMU-709594, which is just one of the times the notification about the local root was sent.

http://img513.imageshack.us/my.php?image=w3iv6.png
http://img101.imageshack.us/my.php?image=w1kh6.png
<<removed>>

Prior notifications included much more detail than what you see in the ticket screenshots. The details for the bugs in the screenshots were intentionally brief (but full steps to reproduce the issues were provided), because I grew weary of providing the same information repeatedly.

I do know how stressful it can be when someone points out vulnerabilities in your software. I know, it's happened to me.

But I must say that our dealings with Jeff (jpetersen) have always been professional and courteous and he has helped us fix vulnerabilities that he has found in his own time at his own cost. We're certainly grateful for the amount of time and effort he puts into doing this work for the good of everyone.

Perhaps the approach and speed of response to this type of investigation and information is key in establishing a good relationship with security researchers.

Yea, what we'd like to know is who the heck is he?

What professional organization or body does he work for or represent?

Who appointed him policeman over internet software vendors?

It appears he has appointed himself to this position. If he came to us as someone from some recognized authority, body or group then we'd have had no problem dealing with him, but at first we were not sure what to make of him. We were wondering, is this some teenage hacker? Is this someone trying to get attention/recognition and make a name for himself? Is this a disgruntled customer trying to have some kind of sick revenge?

In todays "internet" world its VERY HARD to know who is legitimate and who is not. If he wants to continue doing this then I recommend he sets up some "official" website explaining what he does and who he is. Something to legitimize what he does. Just working off "word of mouth" reputation is not enough for the kind of role he seems to want to play.

I can report that he didn't deal with us very professionally. I thought if someone was concerned about security and the end user - then they would be quickly providing the information to the vendor so the vendor could fix the problem. But it became clear to us after the first few communications that he was difficult to deal with and obviously enjoyed "playing with" the issue by often stalling and taunting us. He seems to be more interested in the process of communicating the "bad news" to vendors and playing the blackmail role, rather than with the actual solving of the problem. I mean here we are after 5 months and he still hasn't provided us with the information concerning the root exploit he claims exists. Instead we goes to the public and posts bad things and leaves the vendor guessing and frustrated - that's why he does this - he enjoys taunting and frustrating vendors. This is not the actions of a professional who is concerned about internet security. These are the actions of a person seeking attention and more interested in a fight.

Our server provider technicians tell us clearly and professionally when there is an abuse issue on one of our servers. They email you and provide the details and wait for you to deal with it and respond back to them. Its a 1, 2, 3 step process and there's no stuffing around. People who work professionally don't stuff around.

It just makes me so much more grateful for some wonderful clients we have and how important they are to us. We have clients who have helped us solve a number of issues and its a totally different story with them. When you're dealing with clients who are actually using your product, they are not interested in long arguments and discussions, they need and want an actual solution and focus on the task.

Below are screenshots of ticket LMU-709594, which is just one of the times the notification about the local root was sent.

http://img513.imageshack.us/my.php?image=w3iv6.png
http://img101.imageshack.us/my.php?image=w1kh6.png
<<removed>>

Prior notifications included much more detail than what you see in the ticket screenshots. The details for the bugs in the screenshots were intentionally brief (but full steps to reproduce the issues were provided), because I grew weary of providing the same information repeatedly.


We have dealt with these issues as best we can but this is not the root exploit script you claim exists. You claim to have written a script to exploit our software and refuse to show us this script. That is what I'm talking about. Its the root script you claim to have written that concerns us. Why are you keeping this script hidden from us? Are you trying to prolong this indefinately?

These tickets show everyone how we have tried to deal with jpetersen politely and positively. So thank you, I feel vindicated.

You're claiming to have a root exploit script. Thats pretty serious and if you're not a hacker, why are you withholding it from us?

Also - look at this thread and how its developing.

jpetersen has got what he wants - a long discussion that has him justifying himself and proving this and that. We have back and forth arguing going on and it just never ends. I'm here because my software product provides me and my family with part of our income. Unfortunately some people who come in here will read this thread and decide not to buy WHMreseller because of the sheer volume of discussion alone. I have no choice - I have to come back in here and defend my product. Why are you in here jpetesen? As I stated from the outset - you are an attention seeker.

Our new release (version 3.3) is due out soon.

It appears he has appointed himself to this position. If he came to us as someone from some recognized authority, body or group then we'd have had no problem dealing with him, but at first we were not sure what to make of him. We were wondering, is this some teenage hacker? Is this someone trying to get attention/recognition and make a name for himself? Is this a disgruntled customer trying to have some kind of sick revenge?

Are you for real? There's no rule or law (thankfully!) that he has to be part of some "recognized authority, body or group" to find security vulnerabilities in software.

You should be thankful that he even approached you with these details so you can secure your software and learn from these bad coding practices! You should also be thankful that he didn't post the exploit code to one of the popular mailing lists or 0-Day websites... but instead you try to ridicule him when he's trying to help?

Edit:

Does that screenshot not show a root (local) exploit?

Why should I be thankful?

All we've had is people being turned away from our software and a lot of uncertainty and trouble.

I wouldn't be at this position if he'd not caused us real confusion and difficulties. I am not thankful for many months of uncertainty, worrying and being put under his thumb.

He blackmailed us. He came to us saying basically "fix what I tell you or I'll go public". Not in those words exactly but that was the general threat. He set his own deadline and then decided to go public. He decided in his own mind what needed to be done and then blackmailed us to do what he wanted. This is my product, I developed it, I wrote it and I should be the one who decides the course of action for my business. I decided to do a complete overhaul of the product, which takes many months. Its the right course of action for the long term, to solve all the problems with our software - fully and properly. But here we had a guy who doesn't know crap about what I'm trying to do and goes ahead and assumes all the wrong things and then tells the public how bad we are.

I am doing more than most vendors would do because I want all issues dealt with. But because jpetersen threatened us I have had to devote more time to working on the old script that could have been spent on the NEW SCRIPT. Do you get it? He has interrupted our development cycle, forced us to delay things and at the end of the day - I know he's just wasting our time.

There's NO POINT fixing an old car forever!!! At some point you've gotta dump the old car and get a new one. I have patched the old script as much as possible, I've now almost completed the new C++ version and I don't want him dragging my time away from completing the new script, which is what is happening. It is not for jpetersen to decide the course of action of our business nor what path we take.

I'm not coming back to this thread anymore. I have explained our position and what we're doing. If you still don't get it then I don't think you ever will.

I am doing more than most vendors would do because I want all issues dealt with. But because jpetersen threatened us I have had to devote more time to working on the old script that could have been spent on the NEW SCRIPT. Do you get it? He has interrupted our development cycle, forced us to delay things and at the end of the day - I know he's just wasting our time.

Wrong. I've worked with a lot of the big name (hosting software) vendors regarding security flaws of varying degrees up to and including root exploits, and if any of them acted like you did in this thread I would seriously reconsider working with them in the future.

Regardless of how old that script is, it's still in use by a lot of people and your priority should be fixing it, not complaining that it's taking away from the new script which I'm sure would have had just as many flaws!

I can't believe that it's taken you this long to get a patch out to at least fix some of these basic security flaws. Take the makecpaneldebug 'exploit' for example ... does that really need a code overhaul when you could push out a quick fix until you have time to get to everything else? Hell, why are passwords in plain text even being stored there? Insane!

words

Who am I? Answered this question to you already multiple times.

Why don't I provide you with the automated way of exploiting the issue which is completely unnecesary? Already publicly answered this question to you on the cPanel forums.

Stalling? By providing you with the same information, ad nauseum, within 24 hours if not sooner every time you've asked for it? That would be the opposite of stalling.

Taunting? uh huh.

Blackmail? This is getting good.

I'm done here for good. Those that know me, and those vendors I've worked with know that the character bjdea1 describes is not a description of myself. Take that for what you will. People can make up their own minds about the situation if they're so inclined. Keep in mind these contradictory statements from the vendor:

A. The bugs are fixed now
B. We were never told about that bug

A. The bug will be addressed in the next release
B. We couldn't reproduce that bug

Thanks, Jonathan, for your kind words. The feeling is mutual. MaB, the information was already provided to a trusted 3rd party on August 25th. If going to the vendor directly for 3 months doesn't help, and if a trusted 3rd party can't help, then there's only 1 option left. If and when I publicly release the details, I will simultaneously release a script that will monitor for suspicious activity as directly pertains to the local root exploit, which will notify the admin of such unwanted activity. Releasing a 3rd party patch would be ideal, but it's not feasible in this case since the code is heavily obfuscated - something I'm not willing to deal with, nor should anyone have to in my opinion.

The next post I make in this thread will be links to all the details including the monitoring script, and that will only be posted if fabrications about my character are made again - something I've been listening to since June 6th, which is my own fault I suppose for not having made this entirely public much, much sooner. I suspect it won't take long for me to have to post again.

No you are wrong.

You're wrong because our software does not keep the old version running. We don't support OLD VERSIONS. We think that's a stupid idea. When a new version comes out - ALL CLIENTS - upgrade.

If they don't upgrade then they are settling for an inferior product.

I am the one doing the work here.

I am the one writing this script.

I've spent many years developing it.

I want to convert it to C++.

I don't want to do what jpetersen says. I want to convert it to C++ and scrap the old version. I'm allowed to do that. Gosh how'd you like me to come along and tell you, you must do things my way or I'll go tell the public bad things about you.

Mind your own business please.

Don't waste your time bjdea1.

They have time to debate things, u dont. Please hurry up and get new verion finished.

jpetersen Im sure your good person, but can u please stop this discussion

I need him to hurry up and finish new verson, thakns

I'm temporarily breaking my own rule of not posting again unless it contained details about the bugs so I can repost this link - which was censored by an admin but is now heavily sanitized - which must be seen to understand some of the points I made:

http://img522.imageshack.us/my.php?image=w2za8.png

jpetersen, I don't know why you are bothering with this any more. At this point, it's obvious Deasoft doesn't much care about what you are saying, so why not just drop the issue?

If their code is insecure and they are refusing assistance... then move on. Some people just can't be made to drink the water you lead them to.

I appreciate your enthusiasm and dedication to security... but really.. what's the point? Are you seriously going to continue using this software even after it's "patched", given what we all now know about the owner/developer behind it? Would you ever trust your servers to them again? Not likely.

So why not just walk away and eventually this will either all blow over (nobody will know or find out about the apparent security issues), or they'll be crucified if it becomes public.

Either way.. I just don't see the point unless you have a lot of free time or it's a hobby, etc. :)