Hi again, guys… why did you delete my last thread? Do you afraid of something?:)

I will repeat:
There’s a great (BIG) security hole in VDI’s CP3! You can get any file from any server running CP3.
More than that! I can get a root access on ANY server running CP3! (But this host must provide a demo access to CP).

I can tell the VDI’s support about the hole, and about how to use it, but it will cost some $$$. Or i can hack a server... if you whant... $$$ - and server's yours:).
As a demo, I can create a new user with ssh access on any server running CP.

Mail me, guys… or use the ICQ (profile) to contact me.

PS: To ask 250 per month, first think about the security… guys…

HHahhahaha, you are so fun! Why should we pay ya? Are you that poor. And if there were a real security hole, there would already be some servers hacked.

And when there are servers hacked with the cp, we now who did it you fool.

you won't know who did that:)

to others: if you own a hosting company, and whant to hack another hosting company (i bet you could gues what for) just mail me:)

Originally posted by bigAl
to others: if you own a hosting company, and whant to hack another hosting company (i bet you could gues what for) just mail me:)

Mods, do you want to ban this guy? Call me old fashioned, but advertising felonous services here seems a bit rediculous, even if it is probably done in jest.

he:) scared?

I'm serious! There's a big hole. And you, guys should try to fix it. And you are trying to ban the man who CAN and WILL help you. cperciva, we should work together i think. You, as a service provider, MUST be interested! I can work for you to fix this hole! Try to understand - i'm NOT your opponent.

I can repeat:
When you what to get 250 per month - spent 2500 for the security.

bigAl is right.. there is a hole.. and they are working on a fix for it..

Alright Bigal, then hack the server where vdi's server is running on. You said you can do it, so prove it, I'll bet you can't lame poor fellow

Originally posted by Starhost
You said you can do it, so prove it, I'll bet you can't lame poor fellow

I'll make a deface - i'll tell you when it will be ready.

NOW,

i edited some page... be serious! thre's a hole!

site: http://canyonrimmall.com/
hosting: http://jaguarpc.com
demo: http://jaguarpc.com/demo.php

View the cource of the http://canyonrimmall.com/ page. There's a comment at the end of the page.

"<!--Test this page. Merlin. -->"

I tried not to do harm to anybody...

Now try this:
http://canyonrimmall.com/*****.cgi
No password heh?:)

Do you belive me now?


2 VDI:
Will we work together?

And what about that?

http://canyonrimmall.com/Web_Services/

What you have attempted to hack was a "Domain owner" issue.

They need to adjust thier own permmsions correctly.

Originally posted by bigAl
View the cource of the http://canyonrimmall.com/ page. There's a comment at the end of the page.

"<!--Test this page. Merlin. -->"

I tried not to do harm to anybody...

Now try this:
http://canyonrimmall.com/cgi-bin/admin/admin.cgi
No password heh?:)

Don't see that Merlin thing. The other is a cgi script that doesn't have a .htaccess file in the admin panel (not brilliant but not cracked). If I took the .htaccess file out of my phpmyadmin dir, you'd be able to access that too, but you can't since I have it in. I don't get what this is about.

Originally posted by William
What you have attempted to hack was a "Domain owner" issue.

They need to adjust thier own permmsions correctly.

i used a hole in cp.
It doesn't metter weather user sets the permisssins correctly - because i've edited the file, using USERS's access permissions! And user MUST be able to edit his own files. About LINKS script... it uses .htaccess file:).

Originally posted by Chicken

Don't see that Merlin thing. The other is a cgi script that doesn't have a .htaccess file in the admin panel (not brilliant but not cracked). If I took the .htaccess file out of my phpmyadmin dir, you'd be able to access that too, but you can't since I have it in. I don't get what this is about.

OH! Sorry, i have made a rebuil from the LINKS admin's panel when adden a new link (http://canyonrimmall.com/Web_Services/).

LINKS script:
there WAS .htaccess file and there ISn't sucn file there now.

I will add the comment again.

done.
the comment was added again.

2 VDI:
what do U think of it?

Wasn't this guy trying to get people to buy/rent servers in the ad forum a day or two ago?

Maybe it's just me but I wouldn't rent anything of this type of person in a blue fit...

Greg Moore

If you know of a problem why dont you report it and get it fixed, AND STOP defacing others sites I dont care if you did just add a comment, if I was one of them Id sue you for defacing copyrighted material.

Furthermore I see you are trying to sell servers on here, by doing what your doing your only hurting your business....

Listen up BigAl, I've got an idea of what you can do...

Stop acting like a superior being because you know a common security hole in cpanel3. Contrary to your opinion you are Nothing special because of it.

Second, blackmail won't work on ANY of us, because a good (lets say 90%) would trace down your information, and put you in jail (this would be after i showed up at your door with some woopass)

So either go the f*ck away, or explain the exploit. Better yet for now sit tight on it to help protect hosts. If you need money so badly that you can try to blackmail us into it, maybe you should sell crack, or something that pays better.

That's it. I'm done.

i've already told you why i don't reported about the problem.

if you don't want to buy my web server - that don't do that:)

the site list on this hosting service (it's not a defacing):

2kelectronics.co.nz
JustJokingTV.futurechannels.com
Members.fireyourbossinternetforce.com
a1cdduplication.demo.jaguarpc.com
abirdseyeview.org
academy.archuniverse.com
admin.3dpicks.com
admin.ainou.net
aeonzpower.co.nz
aftm.archuniverse.com
aim4insurance.com
ainou.net
airline-tickets-center.com
alecstreehouse.com
alexpolice.com
alopecia-globalhelp.com
amoogle.com
antiaging.healthierliving.net
aquacheck.co.nz
archuniverse.com
atomic-pup.com
audiovideo.queenschurch.com
atomic-pup.com
audiovideo.queenschurch.com
aumail.archuniverse.com
babylove-pcc.com
bacap.barrobes.com
badcandyak.com
badfight.mydoberman.net
baltais.com
barrobes.com
bartendertricks.shore-webart.com
bcisports.com
belspace.net
benribin.net
bigjiggadog.demo2.jaguarpc.com
blacksforlife.net
blaesifarms.lazyb.net
bobburnett.net
bocaj.org
bonsainetwork.com
boondock.org
brightthingsonline.com
britney.demo.jaguarpc.com

it's just a PART of the site list...

Originally posted by ckizer
Listen up BigAl, I've got an idea of what you can do...

Stop acting like a superior being because you know a common security hole in cpanel3. Contrary to your opinion you are Nothing special because of it.

Second, blackmail won't work on ANY of us, because a good (lets say 90%) would trace down your information, and put you in jail (this would be after i showed up at your door with some woopass)

So either go the f*ck away, or explain the exploit. Better yet for now sit tight on it to help protect hosts. If you need money so badly that you can try to blackmail us into it, maybe you should sell crack, or something that pays better.

That's it. I'm done.

go ahead:) trace me:) and then PROVE that I(i) did it:).

Originally posted by ckizer
maybe you should sell crack

what do you exactly mean?

BigAl, what are you saying that if we don't buy help from you your gonna deface those sites?

Go ahead, I'm bored, have extra cash, Have 3 big friends, and love to travel. I also have 2 lawyers, and a Internet detective who can send me your home address if needed. Get the picture?

You be good, and stop trying to blackmail people, because it will backfire...

Haha this thread is turning into a soap opera, kick the idiot, and lock the thread....

Big Al, I dont think I need to say anything regardin your actions and admitting you did what you did. Im sure you are aware of the legal implications as well as others here. You will be contacted.

I was waiting for that post to come around. Smack him around with the book Jag.
Bad enough he's done that, then to brag about it like he's won an Olympic Gold Medal.

I of course don't agree with the extortion-like tactics...but it's kind of humerous that people challenged this guy and called him lame...then he proved it and people are pissed at him. You want to be ticked get ticked at Cpanel folks who have allowed this hole to exist. Apparently they knew/know according to Kunal - did anyone get notified? I don't condone what bigAl did, but you might as well get ticked at all the other defacers out there (which is infinitely unproductive), or do something about it by learning to find these holes first or getting on programmers to tighten things up! I'd rather have someone come in here and tell me there is a hole I can be on the look out for - no matter how they do it, then to wake up and find 300 sites defaced. BTW, I make it a habit not to piss off or challenge people like this - it's a no win. All the internet detectives in the world won't find a good hacker - and if they do (and they can since most aren't good) nobody cares (i.e. FBI, legal system, etc) that someone defaced your website. You're wasting your time and money. I'd love to know the sploit myself..I hope CPanel folks publish it after it's fixed and before it shows up on bugtraq!

i think kunal's post about a hole was the linux/unix hole where you can cd into other peoples public_html dir and view their files. that's not related to cpanel. other than that, i'm sure the cpanel team has everyone looking for a it so expect a fix out shortly :)

We never taunted them to exploit anything and we took his word right off that there was a problem since everyone knows cpanel is full of bugs. We are already developing a cpanel alternative but until its done we still use it and he could have handled this differently. Piss someone like this off?? Im not into taking legal advice from anyone here if your not a lawyer so we wont go into the last comment. This was not a hack and JPC and the cpanel developers have since found the problem. Im glad it was brought to our attention and no damage was done but I would have appreciated it be handled with more discretion.....thats all.

ack!! my mistake :( :(
I confused the two issues :( :(
sorry about the confusion...

Originally posted by Starhost
Alright Bigal, then hack the server where vdi's server is running on. You said you can do it, so prove it, I'll bet you can't lame poor fellow


I'm not dishing out legal advice - and he was requested to hack. It's your cash of course - his IP is from Russia, anyone can hack a wingate or two and bounce around for a while before defacing. Cpanel is nice but as has been discussed and any software engineer can tell you, pretty poorly coded. I would appreciate if people didn't do 45 in the left lane, but they will - most defacers won't discreetly tell you your software is vulnerable. I don't agree with it but I live with it, despite its ethical problems. Agree with me or not, I'm just saying I wouldn't piss someone like that off - go ahead if you want to - any avg 15 yr old hacker can penetrate and wipe most systems - I'm not going to provoke them - my time is better spent fixing the script kiddie holes I can and wait for patches.

<EDIT: I realize you specifically did not provoke him Jag and it's unfortunate he picked your system - these are general comments, not aimed at you>

I would agree with everything and its absurd to think some folks would rather see server,site, or business harmed for proof first rather than take someones word for it.

Ok, bug found, fixed and released.

Basically it allowed someone to run shell commands from the browser of the 'demo' account. Nothing extremely serious. It'd be just like having standard user-level shell access.

The files that bigAl edited were chmoded 777 - so any user with shell access on that system could have done the same (if they had similar malicious intentions :angry: ).

All Cpanel customers are urged to update to build 314 ASAP with the wollowing command:

/scripts/upcp dedicated goodclient

If you don't run this manually, your server should update itself automatically tonight.

Thanks for everyone's help! (especially Jaguar PC)

Best Regards,
Matt Lightner
mlightner@site5.com
matt@darkorb.net

nice turnaround on the fix...

BigAl person, this wasn't an exploit, and didn't allow you to gain root access. This is something that was covered in a few threads down i nthe web security forum, as a matter of fact, about limited shell/telnet access and where people can get into other people's directories, etc. This is a lame thing and has nothing to really do with the Cpanel, other than it didn't do checking to prevent it. This has been discussed time and time again. You seem like some kid that wants to try and impress people, but doesn't really know much of anything.


Simply changing a few permissions and ownership of certain directories, would prevent you from doing these lame-o things to impress yourself, even if the Cpanel didn't do the checking. This is the same reason why Addr was cracked and someone gained important information. If people are wise about what permissions to use, this isn't a problem. Not a very impressive exploit -- and not even an exploit at all, actually. The fact that you make a big deal about it and try and get money for it, like it's some big, complex problem, is just pathetic.

damn, that summed it up pretty nicely.

Originally posted by Tim_Greer
BigAl person, this wasn't an exploit, and didn't allow you to gain root access.

This hole doesn't really allow, but i said i can get the root (and i'm still can do that) using this hole to do some "things" which will alow me to get root.

TO admins:
did you fond my ip in your server logs? By the way - CP doesn't write any logs....

TO vdi:
guys, if you really understood where's the hole - fix it. That's all.

TO people, talking how bad am i:
I could hack (really) hack 10-20 servers and make 500-1000 defaced writing somth. like "**** OFF, SUCKERS", but i just insered a littele comment in the bottom of the page. Nothing more. Nobody exept you, guy, saw that.
And i did it because YOU asked me. I told you that i can do another harmless thing like a demo. Wasn't it enought? It wasn't for you, i see.

So think what you want, but i think that the suppot could try to ask more information about the hole but he said "stay away from here man. What are you talking about is false. We know everything, we can do everything, we don't need anybody's help, we are the best & we're happy to be them!"

if you have a big business - try to listen to people like me.

That's all for now...

(Besides, i'll try to acsess some server again - to be sure they fix it. I won't do anyting with user's files, but i'll tell you if the problem still be open)

See, that's good. Nothing wrong (and in fact it is quite good) being a hacker for the purpose of securing boxes. I think the 'demanding money' aspect kinda got people a bit ummmm, hating you.

Yes, look at Chicken's picture... you can tell he's all burned up about it... :D

Sorry I couldn't resist that with your deep fried friend there..

Greg Moore

about the money:
guys, I worked and I want somebody to pay me. I don't demand money, if you don't want to collaborate with me - then don't do that.

Originally posted by bigAl
about the money:
guys, I worked and I want somebody to pay me. I don't demand money, if you don't want to collaborate with me - then don't do that.

Normally when you work for money, you make arrangements in advance. Doing work that you decide to do on your own, and then demanding payment because you think someone benefits from it, is about as backward a model as I can think of.
:cartman:

WARRING!
The sole still be open! I've checked Jag's and VDI's servers - it works!

Should i prove that?

PS: VDI's support are full downs

Openly stating you gained access Illegaly to a server is not the smartest thing to do.

Originally posted by bigAl
WARRING!
The sole still be open! I've checked Jag's and VDI's servers - it works!

Should i prove that?

PS: VDI's support are full downs

The "sole" is still there? What don't you get, exactly, about this? isn't it clear to you, by now, that Jag and likely VDI don't condone this action of yours? It's one thing if you're testing out the control panel's to see if they appear secure enough for you to want to host there, but it's an entirely other thing, when you intentionally continue to test these parameters. If you notice something wrong, either explain to them what you did or how to fix it (and I don't mean the Cpanel people, that's pointless), or leave it and don't host on that server, but it's fine to alert them of it.

Personally, I never have and likely never will be okay with or like Cpanel, I think it's flat out crap. However, that doesn't justify you just going in, uninvited and specifically told NOT to, and try to circumvent these systems via this control panel. I have noticed things in the Cpanel before and I let the servers know about it, I didn't continue to go and harass them and interfere with their business. No one asked you to check these servers, so don't expect them to pay you for this service you think you rendered. Cpanel or not, who cares? I mean, did you really expect the Cpanel coder's to fix a hole? I don't, so don't act like people that run the software are fools or should pay you to help them.

Personally and I promise you, if I cared enough about that damn Cpanel software to want to bother to secure a system around it, I would. My personal opinion, is to not run it -- but not due to just the security issues. I advise people to not use that pile of junk, and I therefore don't try and support it to a point where I bother to try and secure a system that runs it, since it opens up more and new holes. So, what are you getting at? Who are you trying to challenge here and to do what? To pay you only? You will continue these unwarranted and unwanted violations on their servers, because they can't realistically just drop the Cpanel and lose a large amount of their clients?

Because you want to screw around and be a brat and think you're cool for finding some obvious and lame hole, you make the job for people like me more miserable, because now I have to waste my time securing someone else's crappy software, so people like you won't try and demand money or make people believe that these servers aren't well ran or secure. Also, the fact you mention you can get root, I'm doubting that, but I'm also not completely ruling out Cpanel having security issues, since it's not that great of software. However, how do you know, unless you tried? This is NOT an invitation for you to either try or get root on any of these servers, I'm making that clear now!

If you did and got root, what were you thinking? Do you say that sort of testing is harmless? It's one thing to try something general and harmless and see it's a bad program and you don't want to be on a server running it, but it's another thing to go further and try and get root. That's not harmless or something people are going to take lightly. I am not upset with you for finding a hole, I'm upset the software is poorly done. But, now, because of this, people like me, have to prevent people like you from doing it, so this ends. This upsets me, because I don't think the Cpanel is worth the effort of trying to salvage, but since people don't have an immediate option otherwise, you've just made me temporarily waste my time!

If I can get a server _of my own_ to set up Cpanel on and secure it, which shouldn't take too much effort, just to let you test your lameness on it and try and brag, I'll let you try and get root, which I guarantee you will not... but unless someone offers that, you need to cease and desist these tests you're doing. Not because people are intimidated by you or your self-proclaimed skills, but because it's unethical and you're risking getting into some trouble -- and no, that is not a challenge.. I just want you to shut up and go back to your hole. So, until or unless I invite you, or someone else does for their specific server, you need to stop... I'll see what I can do and I'll be more than happy to embarrass you in public so you'll go away for good. At the rate you're going, you're just going to piss people off and never get what you want anyway. All you're doing, is ensureing that people like ME get paid more, because you didn't practice positive ethics.. So thanks, pal! :-)

So, i've found the hole, i said that i can fix it or tell th support how to do that. What do you want? You want me to stop "testing" the hole? But is there any other way to prove that the hole still exist? How?

I tolld you, guys, at the begining that I DON'T WANT OR NEED TO HACK THE SERVERS. I said at the begining "let's work together, guys, i'll do everything to fix the hole. I'm not the man to fight with! I can and i will do everything to help you.'. Do you want such service for free? That try to get it somewhere else. (fire your admins\security consultans first)

I won't do any things which makes harm. Last night i've accessed two servers only to check whether hole does exist. I didn't change anything.

About getting the root:
i didn't try - you're right, but i'm sure that i can do that. I've got a plan.

2 Tim_Greer:
let's test your's server security? Pay me and i'll try all the ways to access the server, than i'll give you a detalied report. You'll say, that i'm demanding money again? NO! It's a kind of service, called "security check".

to VDI:
DO you wnat to fix it?

Originally posted by Woody
Openly stating you gained access Illegaly to a server is not the smartest thing to do.

I do agree. But which is the smartest?

One thing.. Did you have permission to do your "testing" on these servers? If not, you're gonna get yourself into a bit of trouble eventually.

I don't want to give you money, I don't want you to secure my system, and I really done want to listen about this hole of yours.

"White hats" routinely break into computer systems, leave "look guys, this system is insecure" messages, and help people fix their security. While *technically* it might be illegal in *some* states, I don't think anyone has ever been prosecuted for doing this. White hats perform a very useful service to the security community, generally notifying vendors of security holes in their products, and if vendors fail to fix the holes promptly, announcing these holes to the entire world.

Unfortunately, bigAl doesn't seem to be quite certain what color his hat is. While, to his credit, he has not caused any damage to the insecure systems he has found, he has also asked for money in exchange for detailing this security hole -- a tactic characteristic of "black hats".

If you want to report a security hole and not get people mad at you, here's the way to do it:
1. Put a comment in a webpage, create a file, or similarly do something to demonstrate the security hole without vandalizing the site. This is *crucial* because there are hundreds of people running around shouting about security holes who don't know what they are talking about -- when you report a security hole you must be able to provide evidence of its existance.
2. Send an email to the vendor of the insecure code notifying them of the security hole, of how to fix it, and of the fact that you will be sending out an advisory in 30 days.
3. 30 days later, if there hasn't already been an announcement from the code vendor, send out your advisory telling people "look, this is insecure, *and this is how to fix it*".
4. Bask in the glory of having everybody talking about the security hole that *you* discovered.

I really didn't want to reply!

but this is what I believe! Cpanel is poorly coded! anyone who read the code of this Cpanel will know how to hack it, let's not get mad because we use Cpanel and believe it is the best Control Panel!

I test this Cpanel out, and I really didn't like it! but this is what I believe!

believe me guys, if I Desigen a software and I do sell a lot of it and someone comes along and tells me that there is a Hole in your software, I will pay him money to just tell me where is the hole and if needed I will pay more money to get it fixed! what matter to me is our commercial reputation

I hope no one is going to be made at me :D

and by the way, what does hacker means? hackers are people who get paid to test programs and find holes on them. and a lot of companies out there use hackers to test their system! and I think this is what bigAl was trying to tell you guys! ( that doesn't mean I agree or disagree with what he/she did):cool:

Originally posted by bigAl
[B] So, i've found the hole, i said that i can fix it or tell th support how to do that. What do you want? You want me to stop "testing" the hole? But is there any other way to prove that the hole still exist? How?


That's just it, Big 'ol Al, no one asked you to look, no one asked for your help, for your advice or for your opinion or non relenting manner in which you've taken it upon yourself to pursue. That makes it "no okay". You don't go around trying to open people's doors throughout your neighborhood, do you? You don't just assume that responsibility and do what you've done. I too have tried things on many servers and found holes. I didn't demand I am paid to assist them, I informed them about it, to let them know it's there and that I could help them, for free -- I figure maybe they'll be kind enough to pay me, if they want to, but not to stop me, but so I can help them. Recall the manner in which you posted your initial post here.


I tolld you, guys, at the begining that I DON'T WANT OR NEED TO HACK THE SERVERS.


Firstly, if you want to act like you could, you had better learn the proper term first. It's called "cracking", not "hacking". There is a large difference and any "hacker" or "cracker" that is genuine, would know this difference. You've used a very, very simple means to poke around systems. That is not a hole, that is simply because the program in question isn't trying to, nor meant to serve the purpose to stop people from poking around. The same is of any shell access. If you log into a shell on a server and can view files that you have permission to read, are you going to actually tell them they have a security hole too?
Do you expect people not to laugh at you? Do you expect people to pay you for something they likely already know about? Here's an example, go set the permissions on any server to 777 on a file of directory and then try and alter a file within that directory. Does that make you a "hacker"? Do you know what a "hacker" is? Okay, I'll give you a break on the misuse of that term, because you're from Russia and you might have that language barrier issue happening.


I said at the begining "let's work together, guys, i'll do everything to fix the hole.


That's not accurate, as evidenced by your initial post. It was more like "I found a hole that let's you get root on servers (even though I don't know if that's true yet) and I'll help only if you pay me!" and make it your personal mission to continue to test your theory on these servers, when you've been told to not do it and that they didn't agree to it or ask you to. That is harassment.


I'm not the man to fight with!


Am I? Is Barney the Purple Dinosaur? Are you a man or a kid that's being a brat? Be more respectful and act in a manner more appropriate, if that's the case and help someone, if you truly think it's an issue that's as big of a deal that you claim -- which it's NOT, instead of denying people this information. A more respectful attitude will likely have someone more likely to hire your service. As it stands, this is a simple issue and not something someone needs to pay someone for, since the solution is posted on the web security forum, where I already covered these aspects and the solution to it!


I can and i will do everything to help you.'.


Fine, if this is more than some lame ownership and permissions issue, which I know it isn't, then post it here, what you did and your idea how to stop it.


Do you want such service for free?


Assuming this is what it sounds like it is, no. Some people don't nee your help, nor want your help.


That try to get it somewhere else.


Okay, how about here. I'll do it for them and for no charge. Look ma', no extortion!


(fire your admins\security consultans first)


Do you really think any, or over one of these company's truly has a security consultant? Hire them to set the proper ownership and permissions? Uh, sure...


I won't do any things which makes harm. Last night i've accessed two servers only to check whether hole does exist. I didn't change anything.


So? If I keep picking your locks and coming in your house at 2 AM and don't steal anything, would you be okay with that?


About getting the root:
i didn't try - you're right, but i'm sure that i can do that. I've got a plan.


Everyone has a "plan". And, like I said, I didn't think you did, since I'm sure this is the basic, simple issue that was already discussed in some detail before.


2 Tim_Greer:
let's test your's server security?


Let me get a server, first.


Pay me and i'll try all the ways to access the server,


I was talking about this "hole" you think you found in Cpanel. I bet this same "hole" exists in shell too.. it's called "permissions and ownership". And, I have no reason to pay you, what are you on? I think it's obvious that I don't need your help or advice. I simply said, since you're doing this anyway, if I set up a server and let you try your "Cpanel exploit" and fail, will you go away? I said I'd let you try to get root, since that was not an offer or challenge for you to try on any of the servers you've been screwing with. You might go away then, and shut up. That was my only point, to show you that it's not a big issue and you're being ridiculous and trying ti impress yourself about some small issue that's not what you make it out to be.


than i'll give you a detalied report.


Gee, thanks.. but no thanks.


You'll say, that i'm demanding money again? NO!


No, I won't... I wouldn't pay you for that service. In case you're wondering, that's exactly what I get paid to do, and I don't need to try and get into people's systems without permission to try and scare them into paying me to help them. Do you think you've scared anyone here? No, you've annoyed and pissed them off, because enough is enough. If they aren't going to pay you, which they are obviously not going to do, then move on or just stop. You don't need to test it any longer. I can stop you on any of these servers, but I can not and will not grant you permission to test things. And, to be very clear again, I am not telling you to try it or giving you permission to try it. I'm not saying whom I will do it for. I will only give you permission on my own server, which I don't have my own server yet, to try this specific hole you try and claim exists, nothing more, and I'm not stupid enough to pay for it either, since I'm confident I know more about this than you do, moreover the ethical implications thereof.


It's a kind of service, called "security check".


Yes, that could be. And, just going around and continually harassing people that don't want to pay you for your claimed discovery of this alleged "hole" is nowhere near a service or security check. Be reasonable about it, you know this is a fact.


to VDI:
DO you wnat to fix it?


This isn't a Cpanel issue, this is a permission/owbership issue and they have nothing to fix. If you knew what you were doing, you'd know that. Now, once again, this is not an offer, challenge or acceptance to your claim or ability, so you need to lay off.

Originally posted by jman
I really didn't want to reply!

but this is what I believe! Cpanel is poorly coded! anyone who read the code of this Cpanel will know how to hack it, let's not get mad because we use Cpanel and believe it is the best Control Panel!


I actually don't know one person that used Cpanel that likes the thing. Everyone I know of that uses it, only does because as per the features (which are very basic anyway) aren't found in other products and some people think it "looks good". Any programmer that's seen a portion of that code or has seen how it's designed agrees it's poor code, you're not alone in that opinion, at all. No one's mad about that opinion. People are annoyed at someone coming in and trying to extort money to fix something, that is either not a hole, or if it was, isn't something that is any of their responsibility as per the software goes. This kid is picking on web hosts that are not Cpanel developers, there is no other explanation.


I test this Cpanel out, and I really didn't like it! but this is what I believe!


No one likes it. :-)


believe me guys, if I Desigen a software and I do sell a lot of it and someone comes along and tells me that there is a Hole in your software, I will pay him money to just tell me where is the hole and if needed I will pay more money to get it fixed! what matter to me is our commercial reputation


This is an option, but it's not acceptable to harass the client's using your software.


I hope no one is going to be made at me :D


Then I'd be very hated.


and by the way, what does hacker means? hackers are people who get paid to test programs and find holes on them.


That's not technically what a hacker is, per se, although it's one of the things a "hacker" can do. A hacker is a technical term for a programmer, and does such things, not system or network security, although that once again is part of what some hacker's do.


and a lot of companies out there use hackers to test their system!


True...


and I think this is what bigAl was trying to tell you guys!


Yes, I know... but he didn't really act in a manner of that type of person... You don't try and force people to pay you, and if they don't, to continue to basically harass them or their client's. Cpanel is not anyone's business, but the Cpanel coders.. why doesn't he take this up with them? If they don't take action, then he can come to the Cpanel client's and say that Cpanel won't fix this problem, so are these client's willing to pay him to fix it for them (if he can)... If they don't, he needs to leave them alone, instead of using them as unwilling participants in his examples and whatnot.


( that doesn't mean I agree or disagree with what he/she did):cool:


Well, I personally have an opinion about it and I disagree. The fact that he tested the Cpanel and found something he believes is a hole, is fine. No one said anything bad about that. The fact that he's thinking he can withhold help to a problem that he's allegedly found and continue to do this on the servers, is not acceptable or ethical. Not this way, not judging by his initial post about it. That's no way to conduct business or get business. Cheers! :-)

Anyway, I know this is a lame claim of a hole, but as I stated (in the web security forum), there are simple and effective ways to stop this from happening, as well as stopping it from happening in FTP or shell access as well (or if someone writes a script to provide them with access to shell commands), it will all fail to provide said user to have permission to read any files that are in any user's account directory and beyond. So, no matter if it's Cpanel, FTP or shell, or CGI or other scripts, this won't be a problem.

No reason to deal with some kid that wants to try and make a big deal about it, but, as I said before, this is something people ought to do and enforce anyway, no matter what, if they are a web host and have shared accounts, demo accounts, or anything else. Email me and I'll help you out, it only takes a couple of minutes to do and I'll show you the problem with an example and you can test it yourself. I'll explain how it works and how to implement this solution and you can test the example again and see how it doesn't work. Just email me and I'll help you out -- no charge, but donations or references are always nice. :-)

jman, you're the first man who tried to understand me. 10x

jman, you're the first man who tried to understand me. 10x

2 Tim_Greer:
you, can't and you don't know for sure how did i accessed the servers! So everything that you said above - is full ****. Don't want to waste my time with you... to my mind i wasted enought of it here. So try to listen much and to talk less.

I'M VERY SERIOUS!!!
There's a very very VERY big hole! It's NOT (NOT - NOT and NOI again) the prmissions! And only "lame admis" like Tim_Greer who thinks that he's the best in the world can think so!

I CAN REEAT AGAIN:
i it was a permissions hole, l would be far, far FAR away from here now. BUT it's NOT. Is that clear?

Using this hole you can
1) to access the server w\o an account
2) execute _ANY_ files
3) to make CP slow down
4) slow down (i mean "VERY DOWN") the server
5) i several situation get the root.

ALL this things VDI's CP allows to do! Only CP. IT"S A SOFTWARE HOLE. Is that clear?


I'm really suprised that you (i mean VDI) don't want to collaborate with me. To my mind when you have 250 per mounth per clien - you can allow to spent some money on fixing the holes. I don't know what to think of you, guys... the are to ways:
1) you're to stupied
2) you're too avaricious

i don't know what to thing... you, CP's admin, told us that you've fixed the hole - it's NOT true... and i bet, you won't fix it w\o help.

Then why don't you post it here? If it was a true hole in the software I am sure you would get much more popularity then what you are getting now. After the way you have acted here, I wouldn't give you a penny.

One a side not: Does CPanel produce logs? I have never taken the time to even look at the thing.

Originally posted by bigAl
jman, you're the first man who tried to understand me. 10x

2 Tim_Greer:
you, can't and you don't know for sure how did i accessed the servers! So everything that you said above - is full ****.


Actually, boy, that's not true. There's only so-many things the Cpanel does. You're talking about Cpanel, not WHM. Cpanel only has access to do so much and does so many functions, so it's not difficult to figure out what the problems can be or are. I know what the problem "is".



Don't want to waste my time with you... to my mind i wasted enought of it here. So try to listen much and to talk less.


You're just embarrassed, because you're trying to make a big deal about something that's not a big deal.


I'M VERY SERIOUS!!!


No, you're VERY stupid.


There's a very very VERY big hole!


No, it's not.


It's NOT (NOT - NOT and NOI again) the prmissions!


It's not just permissions, no, it's also about ownership. That's about it.


And only "lame admis" like Tim_Greer who thinks that he's the best in the world can think so!


Lame Admins? Give me a break. The only thing you did, was say that you were able to get into other user's account dir and view their files, and, you also modified some files that people had set to the permission to make them world writeable. THAT, is what's "lame" and you can do the same thing in FTP or shell access. That's not an issue with the server, really, it's the people not setting proper permissions. Further, it's not an issue with the Cpanel, per se either, since if those permissions were set properly, even if Cpanel didn't do checking, you wouldn't be able to view or otherwise modify these files.


I CAN REEAT AGAIN:


No, I repeat again, you are making a big deal about nothing and you're embarrassed, so you are trying to act like I'm a "lame admin".


i it was a permissions hole, l would be far, far FAR away from here now. BUT it's NOT. Is that clear?


It's clear that you have no idea what you're saying. I didn't say it was only a permissions issue, it's also an ownership issue.


Using this hole you can


Oh boy, here we go...


1) to access the server w\o an account


We'll, but you do have an account, it's called the "demo account". And, so what if you can access the server, that's what the demo account is set up to do! If you can access a server and can't view files due to ownership and permissions, then that's nothing new or a big deal, or a hole. In fact, the demo (or other) account can be limited to what it can do in shell, so you can't even try a local exploit on the server, for example.


2) execute _ANY_ files


You can execute ANY file that have the permissions to ALLOW you to, yes. How long have you been into computers, a day?


3) to make CP slow down


That might be true, but that's not a security hole, just bad code.


4) slow down (i mean "VERY DOWN") the server


That's not a security hole per se, that's just bad code.


5) i several situation get the root.


You said yourself that you never did and didn't try. Now you say you did.


ALL this things VDI's CP allows to do! Only CP. IT"S A SOFTWARE HOLE. Is that clear?


No, that's not clear. You said that basically the Cpanel gives you access to the server without an account. Lot's of user's on a server have access to it. They can do everything you're trying to claim is a Cpanel hole. It's ridiculous! Sure, Cpanel should do checking before it opens up or runs a file, etc., but if it doesn't, then so what? I mean, the proper permissions and ownership can be set to prevent that. Otherwise, any user with an account on the system could do what you're saying anyway, which isn't as big of a deal as you try and make of it, be it someone's running Cpanel or not. The only difference, is that Cpanel had a demo mode and people can test the system as if they are basically a regular user. Hence; Regular user. Try what you're talking about on any system, you'll see you can do the same thing, provided you simply have an account -- again, the "demo" account, still being an _account_, you genius!


I'm really suprised that you (i mean VDI) don't want to collaborate with me.


I'm not surprised they don't, you're making a fool of yourself.


To my mind when you have 250 per mounth per clien - you can allow to spent some money on fixing the holes. I don't know what to think of you, guys... the are to ways:
1) you're to stupied
2) you're too avaricious


Now, you're also directing that to VDI. VDI distributes it, VDI isn't the owner or developer. Try and figure out who to even threaten, for once.


i don't know what to thing... you, CP's admin, told us that you've fixed the hole - it's NOT true... and i bet, you won't fix it w\o help.


No "CPanel Admins" said any such thing. One person posted here saying the hold was fixed. I tested a simple fix by setting permissions and ownership last night and it stopped this viewing of other files, etc. It's a very simple thing, Cpanel or not, to stop, as I mentioned above. As far as won't fix it without help, we'll, that's why I'm here. I guess I rained on your parade, but this is getting old and you obviously don't have a clue, if you're going to make these claims. And again, no that's not a challenge. My point is, even if Cpanel was fixed to not allow this, anyone with shell access could do and say the same thing. It's nothing uncommon and it's not a hole, per se. If it is, then it's not a big deal, since it's very simple to prevent. The fact that you fail to understand this, says a lot about you.

I have to agree with Tim on this one, not to meantion bigAl you said in the beginning you were going to help us? My ass! You wanted money you played it like money or else. Go get a life somewhere else, stop annoying us, stop pretending your special because you know common security tricks. To settle this if you need this bug fixed ask somebody besides bigal to help you, because they will do it for FREE without f*cking with your servers.

BigAl stop talking about holes in software when you can't even plug the one in the back of your head.

Please just let this die out and stop talking about it!

woohoo, i found a use for the vB ignore list option! :D

Originally posted by Woody
I am sure you would get much more popularity then what you are getting now.

i don't need it

> You're just embarrassed, because you're trying to
> make a big deal about something that's not a big deal.

than you just didn't understand.

This hole is't an ownership\permissions hole. It's the software hole.

Originally posted by bigAl
> You're just embarrassed, because you're trying to
> make a big deal about something that's not a big deal.

than you just didn't understand.

This hole is't an ownership\permissions hole. It's the software hole.

And what you fail to grasp, Big ol' Al, is that provided the permissions and ownership are set appropriately, this "hole" in the software is irrelevant, moot and completely harmless -- to the point of ensuring you _can't_ read other user's files or the like. It's that simple, this is what you continue to fail to understand. Cheers! :-)

it looks like there might be a hole afterall. there is an exploit in phpmyadmin 2.1.0, the default build which cpanel/whm boxes have. the only problem with this is that you cant access phpmyadmin from a demo account. there are no details on the exploit yet. hopefully a fix should be in place shortly.

i realized that you, guys, just didn't understand me.
so i don't wanna talk with you any more...

there's a great security hole! great!
so do nothing and someday you'll have a very big pain in the ass.

Nevermind. this thread died long time ago.

post if you want:)
i'm here the one man, who wants to listen but i'm still here:)

Guys, I'm back to tell you that VDI haven't fix this hole yet! We talked about it several mounths ago and they just did nothing!

I know all of you, guys, take care of your customers and want them to have a secure sites. You want to have a secure servers to provide a secure sites.

Didn't you ever thinked that all what you did to make your servers secure may be crushed? You spent a lot of hours and thousands of dollars building your server correctly and all this work just could be crushed by some PAID software with was written by 'budget' programmer.

I just don't get it, guys! Why do YOU pay to pay more? Tell me WHY?

Do you really want just beautifull interface and nice features? Why don't you think more about really important things like protecting your clients? Think! They can loose more then you hosting their sites at your server wich YOU made unsecure. And you PAID to make it unsecure!

I just don't understand VDI. They just think that they have everything working OK. They say 'This holes are produced by stupid admins'. Now, VDI, I tell you 'NO! This is NOT a permissions or other **** like that. This is software hole. More than that: such holes are produced by stupid and lazy programmers, not admins. Should I repeat it twice?'

Remeber, VDI: some day you'll have a very big pain in your ass wich will make your ass hole grow up. And this day will come sooner than you think.
(sorry for some words, but these guys just made me mad.)

Just somebody tell me WHYYYYYYY a powerfull (I think that correct) company can't hire professional programmers and (!) Security Experts? And why do they don't want to listen to guys like me, who wanna help them? Why do they think that they are the smartest and 'the best of the best'?

I don't know what to add... I'm just mad and that's all. I can't understand people like them! And I can't understand some hosting companies which pay to pay more. I gonna write an article about that. (And then the book - that's for sure!)

Alright.. I actually read all of the pages and didnt want to bring this topic back up, but since it's up, this is what I have to say:

BigAl. good... you found a security hole. You aren't going around and defacing/hacking/whatever you guys want to call it web sites. Thumbs up for you.

BigAl-nay-sayers: Ok, so he's being a brat about it. A bit boastful and a bit bragging...but if you guys *really* are that annoyed by him.. why reply? never understood that part... I can understand if he does something like hey, (your name here), you have a security hole in your system. If you dont pay me, i will take advantage...

BigAl again: Ok, so nobody wants to pay you to fix it. Stop bugging them about it and pressuring them to fix it. Once more people discover the "bug", websites will start being hacked and defaced like crazy, and then they'll come looking for you. If you are "only trying to help", you would not take it as seriously as you are ;) and you will post your findings. The fact that you will *only* do it for money reflects that you don't really care at all about their security... Like I said, good job on finding the security hole, but bad job on publicizing it.

Well.. that's all I have to say about that.

Goodbye.

Originally posted by aragon
BigAl again: Ok, so nobody wants to pay you to fix it. Stop bugging them about it and pressuring them to fix it. Once more people discover the "bug", websites will start being hacked and defaced like crazy, and then they'll come looking for you. If you are "only trying to help", you would not take it as seriously as you are ;) and you will post your findings. The fact that you will *only* do it for money reflects that you don't really care at all about their security... Like I said, good job on finding the security hole, but bad job on publicizing it.

The deal is NOT that somebody don't want to pay. The deal is that VDI guys don't care.

btw, I don't wanna get money from somebody, I want them only from VDI because of their's stupidness. If they don't have their own brains, thay can pay somebody to rent somebody's. That's not a joke.

My position is 'If you can't do it by your self, let somebody do it for you.' I didn't say that I'll start hacking servers if they won't pay. BTW, I didn't start and I won't start doing that in the future, because this is NOT my goal.

If they don't want to pay me, that's OK. But WHY (just tell me why) didn't thay pay to some company like @state to make a security check and to get the Security Reports?

BTW, I was SURE that the hole is fixed now! We talked about it in APRIL! It's the end of JULY now. The hole is open now.

Please, somebody, answer my question 'Why do people don't want to pay for security checks? Are they stupid or what?'

I think they are just stupied. Now, hosting companies, 'Why do you pay to stupid people? WHY?'.

If you need just an interface - you're not a hosting company, you're a group of another stupid people.

Answer me.

Originally posted by bigAl
[clip]Answer me.

Why don't you go ask VDI, and leave us alone. No one here is going to bite. This has been beaten to death. We all agree that you are smarter than we are and that VDI owes you millions to fix their code.

Please go ask them. They don't live here.

-t

ps Don't be surprised if VDI doesn't care. They are releasing a CPANEL replacement and probably won't ever fix the security hole you are so adamant about.

The reason why people were replying, was simply to protect their interests. Many hosts run Cpanel/WHM and if there's a rumor started that it's got this "huge security hole that people can use to get root access", then I'm not going to sit here silently and allow same false rumor to be spread. Simply put, this is not true. BigAl found nothing that we all don't know about -- and that "thing" does not allow root access, it simply allows the same access anyone else has on the server -- only that the demo account just allows everyone on the Internet that same access, since the demo user has pretty much (or can have) the same type of access as the rest of the user's on a system. That's all there is to it.

BigAl continues to claim he wants to help, doesn't want to be paid, etc. Yet, BigAl has not contacted one person to report this exploit, how it's done or any suggestion on how ot fix it. I'd be happy just to have him explain where this exploit lies. He still has not, in all these months. Believe me, if he told VDI about a true exploit, I'd have heard about it. Therefore, he did not. All he's done and continues to do, is this "I know something you don't know" attitude, and it's simply not true. Chalk it up to egoism perhaps, or perhaps he's trying to look cool or scare people. This has been discussed to death here and in another thread on this forum recently as well (Well, in he technical and configuration forum).

My belief, is that BigAl doesn't know much about how servers work, beyond simple means and because of that, he believes there's this big security hole. People have painstakingly tries to explain it's not a "huge security hole" and the aspects of it. Still, he continues, and still, he has not provided any evidence or reason to prove that anything he says is remotely true or likely. Maybe he doesn't know any better (my opinion), or he is just trying to talk himself up. Either way, I'm not concerned, based exclusively on his attitude and seemingly great lack of knowledge. He might know enough to use Cpanel's demo account to snoop around (and yes, you can get information and access that way -- but not root -- unless the server isn't set up well and allows any other user to get root via shell or Cpanel access anyway -- NOT a Cpanel issue!!!), and he thinks that's due to a large exploit in Cpanel.

Had BigAl known how much I despise Cpanel, he'd not be thinking I'm carelessly or mindlessly supporting that product. Also, this whole VDI attacking, is ridiculous. VDI had the Cpanel developed -- they didn't code it. The guy that coded it works for Burst and is still doing his Cpanel coding on the side (or possibly with Burst.. who cares)... The point being, what could VDI do about it, other than have a new one coded? Isn't that what VDI has been saying and in the process of doing the last few months -- even before this BigAl claim anyway? Maybe BigAl should pay attention. No one is planning to use Cpanel much longer anyway -- having nothing to do with BigAl's claim, but everything to do with the poor manner in which Cpanel was coded, all it's bug's and poor design. That's no secret.

VDI is releasing a new control panel, Burst will too (using the new control panel that the original designer of Cpanel is doing), JaguarPC is going to be the first company to release a new control panel very shortly here. All these companies are completely aware of how poor Cpanel is, the problems and hassles it causes and are all doing something about it. This Cpanel security claim, will be long forgotten. Why? Because no one will be using it in the next few months. Why else? Because there's NO FRIGGIN' "huge security hole that people can exploit to get root!", unless you're talking about snooping around a system for information that can help you get root because the system administrator didn't protect some sensitive file(s) with the proper permissions and ownership. Or, unless you're talking about using the demo (or any other account) to compile or run some exploit script. Nonetheless, those have nothing to do with Cpanel, I seriously doubt BigAl found any hole that he claims and I'd really like for him to actually inform someone about it, if he says it's true still and still claims he wants to help people -- be it VDI ignores his claims or demands for money.

Personally, I don't care, other than the fact that I simply can't stand when these kids come into chats and forums and whatnot, and start boasting about their "mad skillz" and how they can or have done this or that, and people actually start buying into it -- when the kid obviously doesn't realize how foolish he sounds. It reminds me of the "big bad hacker" type person in chat rooms, saying "Dude, I've got your IP address. I know all about you, I can hack your computer and give you a virus, get your social security number (somehow), get you name, address and phone number and make your TV melt and your dog stop barking". Of course, it's always something like the IP addresses are next to each person's name, they just said their name to someone in the chat room or whatever.

I mean, enough of this, it's very lame. Either give someone involved (A host using Cpanel, VDI, or whoever) some real information that proves this (and don't demand payment to tell them something that we all know about and know isn't a big deal), or just shut the hell up already. It's that simple.. or you can beat around the bush, avoid the issues and just think you are impressing people... it's up to you, but this is old! If you want to try and impress yourself with bogus stories to feel cool or like you've gotz da mad skillz, then go prey on some people that are more ignorant than web hosts are that have seen enough kids try and impress the Net folks. Cheers! :-)

PS: BigAl, I think this is your cue to call me a "lame admin" now... :-)