Results 1 to 10 of 10
  1. #1
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684

    cPanel refuses to fix cross-site request forgery

    Did not yet see this posted; maybe i missed it; but apperently cPanel does not wish to fix a cross-site request forgery because it would be a so called feature. Maybe due the weekend someone had a drink to many

    Anyways ; from The register:

    The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications. The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.
    "If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."
    Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."
    The complete article can be found here.

  2. #2
    Join Date
    Jun 2007
    Posts
    82
    That's quite some depressing news, being on a CPanel plan currently... because even if I'm going to a site I trust, the ads they have may have the CSRF that can take it over.

    This is what really got me
    Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this
    Are they not even going to test out a fix? *Sigh* Saying it might break integration and testing if it breaks integration are two very different things.

  3. #3
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by daz07 View Post
    Are they not even going to test out a fix? *Sigh* Saying it might break integration and testing if it breaks integration are two very different things.
    I assume they tried to contact cPanel support and got this answer; as a bit later in the article it said:

    Representatives from cPanel, Netgear and Linksys weren't immediately available for comment. This article will be updated if they can be reached and provide a response.
    So it could be someone is waking up now.

    But what would this mean to end-users ? you could simply close all sites (best to close the browser and reopen); login to cpanel; do your stuff; logout from cPanel. And go on with your stuff.

    However things get more interesting when you are a server administrator or reseller, which more often have the need to have active sessions.
    Last edited by 040Hosting; 08-03-2009 at 03:23 AM. Reason: fixed typo

  4. #4
    Join Date
    Jun 2009
    Posts
    43
    so easy to fix a caveman could do it... jusr require a private pass/key to be sent as well when running commands remotely.

  5. #5
    Join Date
    Sep 2007
    Location
    UK
    Posts
    49
    I read this earlier today and it is somewhat troubling.

    I've been thinking of mailing my customers and advising them to log out properly (and not just close the browser) as soon as they have finished what they are doing.

    It's kind of a difficult decision - do I keep quiet and potentially risk an exploit, or do I (possibly) scare customers away to another host with a different control panel?

  6. #6
    Join Date
    Sep 2007
    Location
    UK
    Posts
    49
    Quote Originally Posted by 040Hosting View Post
    I assume they tried to contact cPanel support and got this answer; as a bit later in the article it said:

    So it could be someone is waking up now.

    But what would this mean to end-users ? you could simply close all sites (best to close the browser and reopen); login to cpanel; do your stuff; logout from cPanel. And go on with your stuff.

    However things get more interesting when you are a server administrator or reseller, which more often have the need to have active sessions.
    You could always use a second browser?

    I had a quick look and it appears cPanel will (or should) be making a statement later on today.

  7. #7
    Join Date
    Aug 2001
    Posts
    4,028
    Quote Originally Posted by AndyM2020 View Post
    I had a quick look and it appears cPanel will (or should) be making a statement later on today.
    Where did you hear about them making a statement?

  8. #8
    Join Date
    Sep 2007
    Location
    UK
    Posts
    49
    Quote Originally Posted by Mekhu View Post
    Where did you hear about them making a statement?
    A member of staff on their forums...

    http://forums.cpanel.net/f5/crsf-lea...tml#post550689

  9. #9
    Join Date
    Sep 2007
    Location
    UK
    Posts
    49

  10. #10
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    For easy reading:

    cPanel is a well known web hosting control panel utilized by major hosting providers around the world. In response to a recent security articled, cPanel, Inc. is issuing a response to customers, service providers, end users, and 3rd party developers that utilize the software.

    A CSRF (cross-site request forgery) attack occurs when an unauthorized command
    is propagated from a user’s browser to another target session without the user’s knowledge. For users of cPanel products, this can occur while logged into the control panel and an outside website causes you to execute specific commands that modify settings within your control panel. You must be logged into your control panel interface and the creator of the attack must know specific information regarding your control panel environment in order to successfully complete the CSRF attack.

    cPanel Developers and System Administrators are recommending a number of steps to help reduce risk associated with this type of attack.


    • Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
    • Avoid opening SPAM, Websites, or clicking on links that you do not
      trust especially URL shortening services found on many social media
      sites.
    • Update your current passwords within cPanel on a regular basis and
      maintain strong password discipline.

    Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified. Enabling the new security feature will be an optional configuration and will require the testing of remote applications and integration methods used in conjunction with cPanel software. cPanel has been directly working with software vendors, and application vendors to educate them on the upcoming changes with 11.25.

    cPanel is committed to providing ongoing communications with customers and end users of software features, security, and ongoing support issues. When security reports are provided through proper channels, a public response will be provided to help reduce the overall risk of specific events. cPanel will provide updates to the affected parties through the proper channels.

    Customers that wish to discuss this in depth and understand the upcoming implementation are encouraged to open tickets or communicate directly with their points of contact to cPanel.


    » cPanel Servers in Europe: Strasbourg (FR), Haarlem & Amsterdam (NL) & Kent (UK), USA (Los Angeles, St.Louis), Asia (Singapore) | Follow us at Twitter: @040hosting
    »
    Shared | Reseller | (managed) Dedicated Hosting | Domain Registrar | SSL Registrar | Cloudlinux Partner| 040Hosting (Registered company #17093425 KVK Eindhoven, The Netherlands)

Similar Threads

  1. Replies: 6
    Last Post: 09-01-2008, 09:17 PM
  2. cPanel Multiple Cross Site Scripting
    By Serverplan in forum Hosting Security and Technology
    Replies: 0
    Last Post: 02-03-2006, 01:04 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •