Page 1 of 6 1234 ... LastLast
Results 1 to 25 of 145
  1. #1
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,861

    Exclamation cPanel Root Exploit - Read ANY File On The Server - They Say, Minor Issue...

    Type: Content Disclosure (Root Access)
    Impact: High
    Product: cPanel
    Website: http://www.cpanel.net
    Vulnerable Version: 11.38.0.7 and earlier.
    Fixed Version: -
    CVE: -
    Date: 2013-05-18
    By: http://www.rack911.com
    Product Description:

    cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

    Vulnerability Description:

    There is a flaw within the import / restore feature that allows an attacker to use a malicious archive to gain access to sensitive files via a symlink attack due to an incorrect handling of the domain log files. When the malicious archive is restored the symlinks become normal files that can then be backed up and viewed by the user.

    Note: In order for this vulnerability to work, the attacker must social engineer the hosting company to restore the malicious archive. However, because transferring and restoring accounts is such a common practice in the hosting world we believe this exploit to be trivial to perform.

    Proof of Concept:

    We have thought long and hard about this and initially were going to release the proof of concept with this advisory, but have decided to wait until Wednesday (May 22, 2013) to give cPanel time to fix this "minor" exploit as they call it.

    However, regardless of whether or not they put out a fix by then, we will be moving forward with a step by step guide and a pre-packaged archive that will compromise a handful of root owned files. We're talking the encrypted shadow password file, but also the plain text root MySQL password and any private SSH keys being used.

    If anyone is concerned about this, we suggest that you email cPanel's security team at security[at]cpanel.net to voice your concern that a fix be issued before Wednesday for this "minor" issue.

    Impact:

    We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password and any private SSH keys. (It is also possible to grab multiple files at once using several symlink attacks within one malicious archive.)

    It's important to note that cPanel has deemed this vulnerability to be "minor" in their eyes which we view to be extremely reckless towards the security of every hosting provider out there. It is their opinion that web hosting providers should not transfer or restore accounts from untrusted sources. As we all know, this practice is extremely common with shared hosting and especially reseller hosting providers.

    We cannot stress enough how inexcusable it is for cPanel to view this flaw as a "minor" vulnerability. An attacker could create their own malicious archive in minutes and come up with 100 different plausible excuses to have their hosting provider restore the archive without so much of a second thought. We're trying to make the hosting community safer, but we cannot do it when companies such as cPanel continue to act like this.

    Work Around:

    Until cPanel issues a patch, we advise hosting providers to check their archives for symlinks and investigate accordingly:

    tar -ztvf newuser.tar.gz | grep ' -> ' |grep -v public_html

    Vulnerable Version:

    This vulnerability was tested against cPanel (WHM) v11.38.0.7 and is believed to exist in all previous versions.
    Last edited by BeZazz; 02-19-2014 at 12:06 PM.
      2 Not allowed!

  2. Thread Summary Information taken from http://www.webhostingtalk.com/showpo...&postcount=118

    For anyone late to the party that can't be bothered to read through the entire thread, here are two posts that discuss detecting possible malicious symlinks in untrusted archives:

    http://www.webhostingtalk.com/showpo...6&postcount=57
    http://www.webhostingtalk.com/showpo...6&postcount=65

    The first post is a manual check and the second one is a wrapper that can be added to cPanel to do it automatically. If anyone has any questions about these two methods, let us know and we'll do our best to help you out.

    Contributors: BeZazz

  3. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,259
    How many of you restore backups every day without a second thought?
    We get a good number of backup restoration requests from our customers with user supplied backups and the amount of checks we have to do is ridiculous because cPanel can't get their backup/restore system right.

    Let me tell you about a plausible scenario:
    You are a webhost, you get a new sign up and this user has a handful of accounts on a dedicated server. You offer free migration. This user is malicious. With the usage of hooks a crafty attacker could dynamically add these symlinks into the backups so when you go to transfer the accounts they automatically get added and then you restore on your server without second guessing it. Later that day your server has been wiped clean and you don't know why..

    Yes.. it CAN happen and you would be completely blind sided by it.
    A few years ago I discovered a bug with cpanel backups which allowed a backup to be tampered to access other databases or remove the root account for mysql. I discovered this originally because I was doing a plesk to cpanel migration and upon moving an account the mysql root account disappeared completely. I took a further look at the issue and discovered I could make small modifications and grant users in one account access to other accounts. Upon contacting cPanel they stated that there was nothing that could be done about it. Surprise surprise - the issue is patched and they never let anyone know . I suspect this will probably occur a few months one day.

    There is another panel vulnerable to a very similar exploit, and their response is the equivalent of 'oh ****!'. If only cPanel cared that much!
    cPanel is the only vendor out of approx 10 vendors who we are working with currently on flaws that basically have pushed us away completely.

    With that said, I know that me personally.. do not like the idea of sensitive data being able to be obtained through a users account. Any time sensitive data has the potential to be compromised it should be resolved. If it requires a rewrite of how you do things.. then do it. It is not the poor users of a software fault these issues exist, its the vendors fault and the users should not have to suffer.

    Maybe I am going insane after 10+ years of this.. but I personally think that cPanel is the insane ones.
    Last edited by Steven; 05-18-2013 at 11:22 PM.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.
      0 Not allowed!

  4. #3
    It's very simple.

    They won't care until the problem results in lost revenue.

    Are people going to cancel their licenses or *not* purchase a license because of their security policy?
    Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider.
    * We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!
      0 Not allowed!

  5. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,259
    Well the POC is coming out Wednesday as much as I don't want it to come out without them fixing it as the potential for bystanders to be harmed is great.

    No one checks backups before they restore them.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.
      0 Not allowed!

  6. #5
    Join Date
    Jun 2012
    Location
    Saskatchewan, Canada
    Posts
    458
    This makes me glad I've never used cPanel over these years. I've always done things the manual way because I know that convenience usually trades off security.

    I'm not a hoster, but if I was and I used cPanel I would be harrassing their phone/email support every hour until they issued a fix. If it wasn't fixed within a few days, I would migrate elsewhere.
      0 Not allowed!

  7. #6
    Quote Originally Posted by swiftnode View Post
    If it wasn't fixed within a few days, I would migrate elsewhere.
    Yes, I'm sure all our customers wouldn love if we switched them to a different control panel. They will surely enjoy spending time changing all their website scripts to deal with the different control panel's of file system paths, database names, email setup, etc.

    If only it were so easy...
    Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider.
    * We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!
      0 Not allowed!

  8. #7
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,073
    This is absurd. For cPanel to consider this "minor" is just ... words escape me. I can only guess that their reasoning has to do with the fact that the host first has to restore a backup. Perhaps their argument is that it would then be the host's fault.

    If this report were coming from anyone else, I would have my doubts. However, Rack911 is a very well-respected management company and prone to neither hyperbole nor rash responses. As such, I invite cPanel to show up here and prove them wrong.

    Better yet, please prove them wrong by pushing out a patch immediately.
    Last edited by FRH Lisa; 05-19-2013 at 09:18 PM.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates
      0 Not allowed!

  9. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,259
    Quote Originally Posted by FRH Lisa View Post
    Perhaps their argument is that it would then be the host's fault.
    Right, lets blame the host instead of fixing a flaw.
    Like I said in my earlier post, another vendor has a similar problem.. and they are jumping at fixing it.

    I don't think cpanel understands their target audience at all. Sad to say, a large number of cpanel users are completely illiterate to servers.

    They have this warning on /scripts/restorepkg:

    Security Note: It is recommended that you do not restore a package from an untrusted source.
    If you choose to ignore this warning, you should use --skipres to minimize the risk.
    No where does it explain why. Plenty of people just ignore it and restore anyway -- I dare someone to prove me wrong on this.

    Someone said in another thread that it seems like we are signaling out cpanel -- That is not the case. They are being irresponsible and we are trying to get them to change that.
    I don't like my customers utilizing software with flaws. It goes against everything I believe in being an admin.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.
      0 Not allowed!

  10. #9
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    823
    Thank you Patrick for your update and work around. Let's hope that a cPanel update will follow soon, to fix the problem and that they stop ignoring you.

    By the way, if anyone wants to scan their hosted accounts for existing suspicious symlinks (possibly created using this or another cPanel vulnerability), they can run this command:

    Code:
    find /home*/ -type l -exec ls -l {} \; | grep -v 'www -> public_html' | grep -v '/mail/' | grep -v ' /usr/local/apache/domlogs' | grep -v '/cpeasyapache/' | grep -v '/virtfs/'
    Symlinks found by this command should be inspected carefully.
    Last edited by NetworkPanda; 05-19-2013 at 10:46 PM.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France
      1 Not allowed!

  11. #10
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,861
    Quote Originally Posted by Steven View Post
    They have this warning on /scripts/restorepkg:

    Security Note: It is recommended that you do not restore a package from an untrusted source. If you choose to ignore this warning, you should use --skipres to minimize the risk.

    No where does it explain why. Plenty of people just ignore it and restore anyway -- I dare someone to prove me wrong on this.
    One thing worth noting, is that the warning is only when restoring via the command line. It does not give any such warning when you do it via WHM -- whether restoring a full backup archive on the same server or using the transfer account feature. Additionally, that -skipres message is TO SKIP RESELLER PRIVILEGES to prevent someone from making their reseller account root ... which is 100% unrelated to our flaw. Our flaw is for all users, normal users and reseller users.

    This is all just so frustrating. The director of operations at cPanel requested a phone conference with us last week and we politely declined for reasons like this. It would turn into us yelling at them for not getting what we're trying to drive home in regards to the importance of proper disclosure when it comes to these types of flaws. I sent the director back a long email detailing what our issue is with cPanel and then the next day... we get this. They just don't get it... they don't get it!
      0 Not allowed!

  12. #11
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,861
    Quote Originally Posted by NetworkPanda View Post
    By the way, if anyone wants to scan their hosted accounts for existing suspicious symlinks (possibly created using this or another cPanel vulnerability), they can run this command:
    Just a note, but that command will only work if the attacker is using the same cPanel server to package the malicious archives and leaves them behind.

    Anyone can make the malicious archives on any server and once it's been restored by the admin that command will not work because cPanel immediately converts the symlinks to real files during the restore process. The only sure fire way for an admin to protect against this, short of not restoring any archives given to them which is cPanel's silly advice... is:

    tar -ztvf newuser.tar.gz | grep ' -> ' |grep -v public_html

    That will scan archive to be restored and report any symlinks, which there shouldn't be any in a normal archive. (As you mentioned though, any symlinks under their accounts should be checked anyway. Some people have not applied that symlink patch to cPanel for the other flaw that Steven reported on the other year.)
      0 Not allowed!

  13. #12
    Join Date
    Nov 2000
    Location
    Thailand
    Posts
    3,360
    Quote Originally Posted by mrzippy View Post
    Yes, I'm sure all our customers wouldn love if we switched them to a different control panel. They will surely enjoy spending time changing all their website scripts to deal with the different control panel's of file system paths, database names, email setup, etc.

    If only it were so easy...
    Why would a control panel enforce file paths, database naming conventions and email routing... Surely that is configuration... oh wait. Peel it all back before considering where to rolleyes..

    At least their is some consistency in expectation between cpanel and whmcs.. just need re-release the latest version without incrementing the version number to seal the professionalism..
    Last edited by MattF; 05-20-2013 at 09:13 AM.
      0 Not allowed!

  14. #13
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,861
    A direct competitor to cPanel suffers from a similar vulnerability and this was their response when I mentioned how cPanel labelled it minor:

    In my book there's no such thing as a "low" priority security bug. We're fast-tracking a release to address this.
    I'd love to name the company but since they haven't issued a patch yet, I don't want to put their customers at risk. It is extremely refreshing though for a company to take security seriously. Pay attention cPanel, because that is how you handle security vulnerabilities!
      0 Not allowed!

  15. #14
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,259
    We've been trying to work with cPanel on this as well. They have a glaring disregard for how important (or in their eyes - not important) the whole backup / restore system is to providers such as us.

    https://forums.cpanel.net/f185/resto...es-347802.html

    The answer from cPanel is this - don't transfer accounts from anyone but yourselves. Even then tread cautiously because we don't sanitize anything.

    What a joke.
    Cody R. - Chief Technical Officer
    Quality Shared and VPS Hosting
    Hawk Host Inc. Proudly serving websites since 2004
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X Support!
      0 Not allowed!

  16. #15
    Looks like cPanel is addressing this issue. Quote from the cPanel forums:

    Weve been getting some interesting and valuable feedback from the cPanel Community recently concerning the security model used by the transfer and backup restore system. Wed like to address these concerns here and provide the Community with some clarity on this topic, directly from cPanel.

    First, we want to highlight again, the risk of restoring account backup packages from untrusted or unknown sources. We need to ensure that everyone has the opportunity to be conscious of the security concerns associated with this process.

    The account backup package system (pkgacct) is designed to transfer an account between machines inside your ecosystem. This system's primary goal is to prefer replication integrity in order to simplify the process of migrating your accounts between your servers.

    In order to achieve this goal it must copy the entire account, along with its configuration, privileges, customizations, files, and permissions that the account has been granted.
    The system is not designed to handle untrusted data. There are a myriad of ways a malicious user can alter an account backup package to escalate privileges, or add additional privileges to an account backup package.
    We strongly recommend that you do not restore data from untrusted sources. It is for this reason that the restore system has always been limited to the root user.


    It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned. In addition, our warnings against doing so have been inadequate to discourage the restoration of untrusted account backup packages.

    We understand the value that this workflow offers, and we want to offer a way to accomplish restoring account backup packages from untrusted sources in a more secure manner. The security and integrity of your system is very important to us.

    Your feedback, along with the consideration of the desired workflow, has prompted us to reevaluate our current system and develop a new goal of delivering a more robust solution.

    We will soon release an update that adds the warnings present in the CLI restorepkg script to the WHM UI. The warnings will be expanded to explain why account backup packages from untrusted sources should not be restored using the current system.
    We have launched a high priority project to develop an alternate system for handling the restoration of untrusted account backup packages. This new system will restore a limited, safer subset of the data. The primary goal of the new restore tool will be to prefer the security of the restore over replication integrity. We will endeavor to provide as much of the current restore functionality with the new untrusted account backup package restore tool as possible. During the new transfer and restore process, you will be able to clearly select which system you want to use (trusted or untrusted) to restore an account backup package.
    The CLI restorepkg tool will be renamed to restore_trusted_pkg. Once development of the untrusted account backup package restore system is complete, a restore_untrusted_pkg CLI tool will be added.


    For the avoidance of doubt, untrusted sources means anyone you would not already trust with root access to the server.
    ~ forums.cpanel.net/f185/restoring-account-backup-packages-unknown-untrusted-sources-347802.html#post1394992
      0 Not allowed!

  17. #16
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,259
    Quote Originally Posted by CitizenKepler View Post
    Looks like cPanel is addressing this issue. Quote from the cPanel forums:



    ~ forums.cpanel.net/f185/restoring-account-backup-packages-unknown-untrusted-sources-347802.html#post1394992
    In short - "We're aware the system is entirely insecure. Don't restore or transfer accounts unless they're your own accounts".

    This doesn't fly with providers. We do restores / backups / transfers daily. They know this. They're putting on their "PR face".
    Cody R. - Chief Technical Officer
    Quality Shared and VPS Hosting
    Hawk Host Inc. Proudly serving websites since 2004
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X Support!
      0 Not allowed!

  18. #17
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,861
    Heh. I don't even know what to say any more... the notion that providers shouldn't restore "untrusted" backups is crazy. Think of all the reseller providers out there, how many they have to restore every single day!

    It's worth noting that there are two other panels vulnerable to similar flaws and both are treating this as a high priority thing... one even said in relation to cPanel and I quote:

    "In my book there's no such thing as a "low" priority security bug. We're fast-tracking a release to address this."
      0 Not allowed!

  19. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,259
    Quote Originally Posted by CodyRo View Post
    We've been trying to work with cPanel on this as well. They have a glaring disregard for how important (or in their eyes - not important) the whole backup / restore system is to providers such as us.

    https://forums.cpanel.net/f185/resto...es-347802.html

    The answer from cPanel is this - don't transfer accounts from anyone but yourselves. Even then tread cautiously because we don't sanitize anything.

    What a joke.
    Baby steps Cody. It only took how many years to get this far?
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.
      0 Not allowed!

  20. #19
    Quote Originally Posted by CodyRo View Post
    In short - "We're aware the system is entirely insecure. Don't restore or transfer accounts unless they're your own accounts".

    This doesn't fly with providers. We do restores / backups / transfers daily. They know this. They're putting on their "PR face".
    I don't know if you're intentionally skipping over the rest of the post, or just didn't read it.

    Quote Originally Posted by CitizenKepler View Post

    [from the forum post he referenced]: We have launched a high priority project to develop an alternate system for handling the restoration of untrusted account backup packages. This new system will restore a limited, safer subset of the data. The primary goal of the new restore tool will be to prefer the security of the restore over replication integrity. We will endeavor to provide as much of the current restore functionality with the new untrusted account backup package restore tool as possible. During the new transfer and restore process, you will be able to clearly select which system you want to use (trusted or untrusted) to restore an account backup package.
      0 Not allowed!

  21. #20
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,259
    Quote Originally Posted by Alfalfa_Head View Post
    I don't know if you're intentionally skipping over the rest of the post, or just didn't read it.
    This high priority project has been brought to their attention for several years. They've only made it high priority since it's been made public. Where is the line drawn?

    It's been known for years the whole system was flawed. Ask anyone who has been in the industry for awhile. cPanel isn't ignorant to this.
    Cody R. - Chief Technical Officer
    Quality Shared and VPS Hosting
    Hawk Host Inc. Proudly serving websites since 2004
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X Support!
      0 Not allowed!

  22. #21
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,861
    ... now if only they would rewrite WHM to address our other (bigger) security concerns.
      0 Not allowed!

  23. #22
    Quote Originally Posted by CodyRo View Post
    This high priority project has been brought to their attention for several years. They've only made it high priority since it's been made public. Where is the line drawn?

    It's been known for years the whole system was flawed. Ask anyone who has been in the industry for awhile. cPanel isn't ignorant to this.
    I think my point is still valid. It seems a little disingenuous to gloss over relevant parts of the cPanel post. Anyway - I'm curious.. now that cPanel has responded and Patrick is aware they're working on an alternative transfer/restore system - will he release his PoC anyway, since he says his goal was to elicit action by non-responsive vendors?
    Last edited by Alfalfa_Head; 05-21-2013 at 05:02 PM.
      0 Not allowed!

  24. #23
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,259
    Quote Originally Posted by Alfalfa_Head View Post
    I think my point is still valid. It seems a little disingenuous to gloss over relevant parts of the cPanel post.
    I think the timeline is key in this instance - I'm not glossing over anything. cPanel glossed over the fact that they had glaring issues in their system. They were made aware of it several times. They simply shrugged it off until Rack911 and crew publicly posted this and now they have to publicly address it.

    Seems terribly irresponsible that they're only now acknowledging it while underplaying the significance of the issue.

    Any provider can tell you that this system is crucial to their business. I'm happy they're addressing it. I'm unhappy that it took so long and that they're underplaying it. Also from previous experience knowing how long this will likely take to resolve is quite annoying / frustrating as a cPanel based host.

    I'm calling a spade a spade.

    **EDIT** You have appeared to edit your post.

    Quote Originally Posted by Alfalfa_Head View Post
    now that cPanel has responded and Patrick is aware they're working on an alternative transfer/restore system - will he release his PoC anyway, since he says his goal was to elicit action by non-responsive vendors?
    I sure hope so. I don't commend a vendor for not acting on something until it's made public and they're held to the fire. Responsible disclosure has been done in this case. It was disregarded. Only at the threat of public / full disclosure did this gain traction. That's a terrible precedent to set for any vendor.
    Last edited by CodyRo; 05-21-2013 at 05:11 PM.
    Cody R. - Chief Technical Officer
    Quality Shared and VPS Hosting
    Hawk Host Inc. Proudly serving websites since 2004
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X Support!
      0 Not allowed!

  25. #24
    Join Date
    Apr 2012
    Location
    Toronto, Canada
    Posts
    499
    Quote Originally Posted by Patrick View Post
    Product Description:

    cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

    Vulnerability Description:

    There is a flaw within the import / restore feature that allows an attacker to use a malicious archive to gain access to sensitive files via a symlink attack due to an incorrect handling of the domain log files. When the malicious archive is restored the symlinks become normal files that can then be backed up and viewed by the user.

    Note: In order for this vulnerability to work, the attacker must social engineer the hosting company to restore the malicious archive. However, because transferring and restoring accounts is such a common practice in the hosting world we believe this exploit to be trivial to perform.

    Proof of Concept:

    We have thought long and hard about this and initially were going to release the proof of concept with this advisory, but have decided to wait until Wednesday (May 25, 2013) to give cPanel time to fix this "minor" exploit as they call it.

    However, regardless of whether or not they put out a fix by then, we will be moving forward with a step by step guide and a pre-packaged archive that will compromise a handful of root owned files. We're talking the encrypted shadow password file, but also the plain text root MySQL password and any private SSH keys being used.

    If anyone is concerned about this, we suggest that you email cPanel's security team at security[at]cpanel.net to voice your concern that a fix be issued before Wednesday for this "minor" issue.

    Impact:

    We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password and any private SSH keys. (It is also possible to grab multiple files at once using several symlink attacks within one malicious archive.)

    It's important to note that cPanel has deemed this vulnerability to be "minor" in their eyes which we view to be extremely reckless towards the security of every hosting provider out there. It is their opinion that web hosting providers should not transfer or restore accounts from untrusted sources. As we all know, this practice is extremely common with shared hosting and especially reseller hosting providers.

    We cannot stress enough how inexcusable it is for cPanel to view this flaw as a "minor" vulnerability. An attacker could create their own malicious archive in minutes and come up with 100 different plausible excuses to have their hosting provider restore the archive without so much of a second thought. We're trying to make the hosting community safer, but we cannot do it when companies such as cPanel continue to act like this.

    Work Around:

    Until cPanel issues a patch, we advise hosting providers to check their archives for symlinks and investigate accordingly:

    tar -ztvf newuser.tar.gz | grep ' -> ' |grep -v public_html

    Vulnerable Version:

    This vulnerability was tested against cPanel (WHM) v11.38.0.7 and is believed to exist in all previous versions.
    This is the second vulnerbility cPanel has blown off as a "meh" in the last what... 2 weeks? Guys over at WHMCS working the support desk at cPanel or what?

    At least the customers can't restore themselves, that's the first positive i see for now. In my 17 years, i've never gone over a backup archive for it's contents. Naive? I don't know, but i had no reason to and cPanel should be addressing this and not labeling it 'minor'. What a joke
      0 Not allowed!

  26. #25
    What makes me laugh is this part of the cpanel response:

    It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned.
    Really? Is cpanel so out of touch with reality of how their software is being used that they did not think their restore utility would be used to transfer accounts between different hosting providers?

    Seriously?

    Is cpanel serious admitting that they have their own heads stuck so far up their own arses that they didn't think the account transfer utility would be used by end-users wanting to switch from one cpanel provider to another?

    Yes, their response is nothing more than an attempt at bad PR mitigation.

    Steven and Patrick called them out publicly, so they have no choice but to respond publicly. They are trying to minimize their arrogance by what... making us believe they are even stupider than we thought?

    Amazing.
    Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider.
    * We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!
      0 Not allowed!

Page 1 of 6 1234 ... LastLast

Similar Threads

  1. Whats needed for website+minor file server?
    By fdmu876 in forum Web Hosting
    Replies: 8
    Last Post: 04-30-2012, 01:50 AM
  2. php server side include exploit --please read--
    By jessex in forum Programming Discussion
    Replies: 29
    Last Post: 11-29-2011, 01:39 PM
  3. Websites don't work; Issue with failed: Read-only file system
    By Urosino in forum Hosting Security and Technology
    Replies: 19
    Last Post: 08-31-2010, 05:25 AM
  4. Cpanel root exploit not really patched. READ
    By BrentOfHG in forum Web Hosting
    Replies: 92
    Last Post: 09-25-2006, 10:56 PM
  5. Anyone know what this remote root exploit does?
    By pmak0 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 05-18-2005, 10:46 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •