Results 1 to 10 of 10
-
08-03-2009, 03:04 AM #1Web Hosting Master
- Join Date
- May 2006
- Location
- EU & USA
- Posts
- 3,684
cPanel refuses to fix cross-site request forgery
Did not yet see this posted; maybe i missed it; but apperently cPanel does not wish to fix a cross-site request forgery because it would be a so called feature. Maybe due the weekend someone had a drink to many
Anyways ; from The register:
The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications. The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.
"If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."
Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."
-
08-03-2009, 03:13 AM #2Junior Guru Wannabe
- Join Date
- Jun 2007
- Posts
- 82
That's quite some depressing news, being on a CPanel plan currently... because even if I'm going to a site I trust, the ads they have may have the CSRF that can take it over.
This is what really got me
Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this
-
08-03-2009, 03:22 AM #3Web Hosting Master
- Join Date
- May 2006
- Location
- EU & USA
- Posts
- 3,684
I assume they tried to contact cPanel support and got this answer; as a bit later in the article it said:
Representatives from cPanel, Netgear and Linksys weren't immediately available for comment. This article will be updated if they can be reached and provide a response.
But what would this mean to end-users ? you could simply close all sites (best to close the browser and reopen); login to cpanel; do your stuff; logout from cPanel. And go on with your stuff.
However things get more interesting when you are a server administrator or reseller, which more often have the need to have active sessions.Last edited by 040Hosting; 08-03-2009 at 03:23 AM. Reason: fixed typo
-
08-03-2009, 03:23 AM #4Junior Guru Wannabe
- Join Date
- Jun 2009
- Posts
- 43
so easy to fix a caveman could do it... jusr require a private pass/key to be sent as well when running commands remotely.
-
08-03-2009, 12:27 PM #5Junior Guru Wannabe
- Join Date
- Sep 2007
- Location
- UK
- Posts
- 49
I read this earlier today and it is somewhat troubling.
I've been thinking of mailing my customers and advising them to log out properly (and not just close the browser) as soon as they have finished what they are doing.
It's kind of a difficult decision - do I keep quiet and potentially risk an exploit, or do I (possibly) scare customers away to another host with a different control panel?
-
08-03-2009, 12:36 PM #6Junior Guru Wannabe
- Join Date
- Sep 2007
- Location
- UK
- Posts
- 49
-
08-03-2009, 12:39 PM #7Evenly Divided
- Join Date
- Aug 2001
- Posts
- 4,028
-
08-03-2009, 12:44 PM #8Junior Guru Wannabe
- Join Date
- Sep 2007
- Location
- UK
- Posts
- 49
A member of staff on their forums...
http://forums.cpanel.net/f5/crsf-lea...tml#post550689
-
08-03-2009, 08:06 PM #9Junior Guru Wannabe
- Join Date
- Sep 2007
- Location
- UK
- Posts
- 49
The statement is at:
http://www.cpanel.net/2009/08/cpanel...t-forgery.html
-
08-04-2009, 03:55 AM #10Web Hosting Master
- Join Date
- May 2006
- Location
- EU & USA
- Posts
- 3,684
For easy reading:
cPanel is a well known web hosting control panel utilized by major hosting providers around the world. In response to a recent security articled, cPanel, Inc. is issuing a response to customers, service providers, end users, and 3rd party developers that utilize the software.
A CSRF (cross-site request forgery) attack occurs when an unauthorized command
is propagated from a user’s browser to another target session without the user’s knowledge. For users of cPanel products, this can occur while logged into the control panel and an outside website causes you to execute specific commands that modify settings within your control panel. You must be logged into your control panel interface and the creator of the attack must know specific information regarding your control panel environment in order to successfully complete the CSRF attack.
cPanel Developers and System Administrators are recommending a number of steps to help reduce risk associated with this type of attack.
- Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
- Avoid opening SPAM, Websites, or clicking on links that you do not
trust especially URL shortening services found on many social media
sites. - Update your current passwords within cPanel on a regular basis and
maintain strong password discipline.
Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified. Enabling the new security feature will be an optional configuration and will require the testing of remote applications and integration methods used in conjunction with cPanel software. cPanel has been directly working with software vendors, and application vendors to educate them on the upcoming changes with 11.25.
cPanel is committed to providing ongoing communications with customers and end users of software features, security, and ongoing support issues. When security reports are provided through proper channels, a public response will be provided to help reduce the overall risk of specific events. cPanel will provide updates to the affected parties through the proper channels.
Customers that wish to discuss this in depth and understand the upcoming implementation are encouraged to open tickets or communicate directly with their points of contact to cPanel.
» cPanel Servers in Europe: Strasbourg (FR), Haarlem & Amsterdam (NL) & Kent (UK), USA (Los Angeles, St.Louis), Asia (Singapore) | Follow us at Twitter: @040hosting
» Shared | Reseller | (managed) Dedicated Hosting | Domain Registrar | SSL Registrar | Cloudlinux Partner| 040Hosting (Registered company #17093425 KVK Eindhoven, The Netherlands)
Similar Threads
-
Angry with Go-Daddy. Trying to host site on OSX but it refuses to be visible?
By Couch Potato in forum Web HostingReplies: 6Last Post: 09-01-2008, 09:17 PM -
cPanel Multiple Cross Site Scripting
By Serverplan in forum Hosting Security and TechnologyReplies: 0Last Post: 02-03-2006, 01:04 PM