Hi again, guys… why did you delete my last thread? Do you afraid of something?:)

I will repeat:
There’s a great (BIG) security hole in VDI’s CP3! You can get any file from any server running CP3.
More than that! I can get a root access on ANY server running CP3! (But this host must provide a demo access to CP).

I can tell the VDI’s support about the hole, and about how to use it, but it will cost some $$$. Or i can hack a server... if you whant... $$$ - and the server yours:).
As a demo, I can create a new user with ssh access on any server running CP.

Mail me, guys… or use the ICQ (profile) to contact me.

PS: To ask 250 per month, first think about the security… guys…

If you want anyone to take you seriously, start giving us some evidence of your claims. You say you can get root access? Go get root access somewhere and put up a page that we can look at.

Originally posted by cperciva
Go get root access somewhere and put up a page that we can look at.

I don't need that. What for? To make you belive me? I think that creating a user whith ssh access w\o admin permissions is enough to belive.

moved here:

http://www.webhostingtalk.com/showthread.php?s=&postid=67428

BigAl person, this wasn't an exploit, and didn't allow you to gain root access. This is something that was covered in a few threads down, as a matter of fact, about limited shell/telnet access and where people can get into other people's directories, etc. This is a lame thing and has nothing to really do with the Cpanel, other than it didn't do checking to prevent it. This has been discussed time and tiem again. You seem like some kid that wants to try and impress people, but doesn't really know much of anything.
Simply changing a few permissions and ownership of certain directories, would prevent you from doing these lame-o things to impress yourself, even if the Cpanel didn't do the checking. This is the same reason why Addr was cracked and someone gained important information. If people are wise about what permissions to use, this isn't a problem. Not a very impressive exploit -- and not even an exploit at all, actually. The fact that you make a big deal about it and try and get money for it, like it's some big, complex problem, is just pathetic.

I thought that ADDR thing was a fake?


Andrew

Originally posted by cimshimy
I thought that ADDR thing was a fake?
I think that the "we're going out of business next week" was a fake, but I'm pretty sure that the "we're clueless morons who don't know how to chmod our CC data" was real.

Anyway, I know this is a lame claim of a hole, but as I stated (in this web security forum), there are simple and effective ways to stop this from happening, as well as stopping it from happening in FTP or shell access as well (or if someone writes a script to provide them with access to shell commands), it will all fail to provide said user to have permission to read any files that are in any user's account directory and beyond. So, no matter if it's Cpanel, FTP or shell, or CGI or other scripts, this won't be a problem.

No reason to deal with some kid that wants to try and make a big deal about it, but, as I said before, this is something people ought to do and enforce anyway, no matter what, if they are a web host and have shared accounts, demo accounts, or anything else. Email me and I'll help you out, it only takes a couple of minutes to do and I'll show you the problem with an example and you can test it yourself. I'll explain how it works and how to implement this solution and you can test the example again and see how it doesn't work. Just email me and I'll help you out -- no charge, but donations or references are always nice. :-)