Page 2 of 6 FirstFirst 12345 ... LastLast
Results 26 to 50 of 145
  1. #26
    Join Date
    Nov 2011
    Location
    Harrisburg, PA
    Posts
    2,074
    Quote Originally Posted by cPanel View Post
    It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned.
    Translation: "Although we've been in the control panel game for over a decade, it only just now occurred to us that customers sometimes switch hosts."

    I'm glad to see cPanel finally responding, though I'm disgusted and concerned it took the threat of public disclosure to compel action. We are now looking for an alternate panel.
    Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
    "The only thing better than the world's best customer service is never needing them in the first place."
    Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates
      0 Not allowed!

  2. #27
    Join Date
    Apr 2012
    Location
    Toronto, Canada
    Posts
    501
    Quote Originally Posted by mrzippy View Post
    What makes me laugh is this part of the cpanel response:



    Really? Is cpanel so out of touch with reality of how their software is being used that they did not think their restore utility would be used to transfer accounts between different hosting providers?

    Seriously?

    Is cpanel serious admitting that they have their own heads stuck so far up their own arses that they didn't think the account transfer utility would be used by end-users wanting to switch from one cpanel provider to another?

    Yes, their response is nothing more than an attempt at bad PR mitigation.

    Steven and Patrick called them out publicly, so they have no choice but to respond publicly. They are trying to minimize their arrogance by what... making us believe they are even stupider than we thought?

    Amazing.
    lmao, i read the post over there but i apparently skimmed it too fast and missed that. They are apparently only realizing that cPanel is only used by the majority of the internet but hey, least someone smacked them upside the head.

    It is a pretty funny quote
      0 Not allowed!

  3. #28
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by mrzippy View Post
    What makes me laugh is this part of the cpanel response:



    Really? Is cpanel so out of touch with reality of how their software is being used that they did not think their restore utility would be used to transfer accounts between different hosting providers?

    Seriously?

    Is cpanel serious admitting that they have their own heads stuck so far up their own arses that they didn't think the account transfer utility would be used by end-users wanting to switch from one cpanel provider to another?

    Yes, their response is nothing more than an attempt at bad PR mitigation.

    Steven and Patrick called them out publicly, so they have no choice but to respond publicly. They are trying to minimize their arrogance by what... making us believe they are even stupider than we thought?

    Amazing.
    ... it's times like this I wish WHT had a like button.

    +1 !
      0 Not allowed!

  4. #29
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by CodyRo View Post
    I sure hope so. I don't commend a vendor for not acting on something until it's made public and they're held to the fire. Responsible disclosure has been done in this case. It was disregarded. Only at the threat of public / full disclosure did this gain traction. That's a terrible precedent to set for any vendor.
    We are moving forward with the POC tomorrow.

    An explanation will be made at that time for our reasoning to move forward despite cPanel issuing a statement. This is something very unique but we need to hold cPanel accountable... and making statements and promises are great and all, but we want a fix for this "minor" flaw. (Surely it doesn't take an entire week to fix something so minor... but we shall see come tomorrow.)

    If companies want to play around and downgrade the severity of flaws... and take years to make fixes and then blow smoke up our arses as if they didn't understand the restore / copy feature was being used extensively with "untrusted archives" then they need to be held accountable or in this case, burned at the stake. We're done playing around with cPanel and will treat future advisories with them a little differently until they start acting responsible like their direct competitors have with the same vulnerability.
      0 Not allowed!

  5. #30
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,410
    Yet another reason why I always suggest Direct Admin


    • More secure
    • More up to date (current)
    • Uses fewer resources
    • Support more OS options
    • You can OWN it thus saving money from leasing it like you do with cPanel
    • And it offers the same general functions most end users look for
    • Easy to customize (not just branding, but you can install outside of stock)
    • Better support which takes things seriously

    ▲ ▲

    WoltLab Dev
      0 Not allowed!

  6. #31
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by TheVisitors View Post
    Yet another reason why I always suggest Direct Admin


    • More secure
    • More up to date (current)
    • Uses fewer resources
    • Support more OS options
    • You can OWN it thus saving money from leasing it like you do with cPanel
    • And it offers the same general functions most end users look for
    • Easy to customize (not just branding, but you can install outside of stock)
    • Better support which takes things seriously
    Be careful with saying the bolded statement.
    They do things 'right', but their history has not always been secure.

    With that said 95% of the DA servers we see have grossly out of date daemons because it doesn't auto update them like cpanel does and a large amount of people who use it don't know you need to.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  7. #32
    Join Date
    Jan 2004
    Posts
    593
    I believe you guys are over-reacting. You found a bug that you think is a big deal when really it's not.

    If you run a cPanel server, it is your responsibility to make sure it is secure and stays secure. Importing any information is a risk. If you don't scan the account after restore then don't blame cPanel for your lack of security practices.

    I agree with cPanel that this issue is minor. There are much bigger issues that are more important to be dealing with.

    Congrats on finding a potential security issue, but stop yelling at cPanel for them not agreeing with what you think is a big deal. You look foolish right now.
      0 Not allowed!

  8. #33
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by speckl View Post
    I believe you guys are over-reacting. You found a bug that you think is a big deal when really it's not.

    If you run a cPanel server, it is your responsibility to make sure it is secure and stays secure. Importing any information is a risk. If you don't scan the account after restore then don't blame cPanel for your lack of security practices.

    I agree with cPanel that this issue is minor. There are much bigger issues that are more important to be dealing with.

    Congrats on finding a potential security issue, but stop yelling at cPanel for them not agreeing with what you think is a big deal. You look foolish right now.

    You are wrong, countless hosts on this forum restore backups every day without any thoughts to the security of it. With one of these backups you can obtain the root id_dsa/rsa key and login to the server with root directly which many hosts allow on their servers.

    The problem is, there are plenty of illiterate server operators, and the way cpanel is currently designed it enables people to take advantage of it.

    With that said, other control panels have resolved/are resolving this problem.
    Last edited by Steven; 05-21-2013 at 11:24 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  9. #34
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by speckl View Post
    Congrats on finding a potential security issue, but stop yelling at cPanel for them not agreeing with what you think is a big deal. You look foolish right now.
    It's not a potential security issue, it is a real security flaw that would allow us to compromise many hosting providers who actively restore random archives every single day.

    Other control panels suffer from the same vulnerability and they have already rated the issue as high... the only people who dispute that rating are idiots who don't understand the software that they are using and/or developed.
      0 Not allowed!

  10. #35
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,410
    Quote Originally Posted by Steven View Post
    Be careful with saying the bolded statement.
    They do things 'right', but their history has not always been secure.

    With that said 95% of the DA servers we see have grossly out of date daemons because it doesn't auto update them like cpanel does and a large amount of people who use it don't know you need to.
    Direct Admin does have an auto update options and my daemons are current.

    How they were in the far distant past is not so much a concern as were they are today. For example, cPanel not to along ago wasn't having all the issues they seem to be having today (repeatedly).

    ▲ ▲

    WoltLab Dev
      0 Not allowed!

  11. #36
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by mrzippy View Post
    What makes me laugh is this part of the cpanel response:
    It makes you laugh ? i makes me cry (well not really, but sad for sure) ... all the above doesnt surprise me one bit, always have thought the backup/restore system was not what it should be.

    But to be *smacked* in the face with 'recently' we have been made aware makes me think about IPv6 in cPanel again... which they recently still not added to cPanel ; because they are probably Recently been made aware this is urgent too ?

    hey , not that that is security related, but shows how fast things go in cPanel and i truly hope they will get their act together and get this 'high priority' project of the ground FAST or at the VERY least fix this security flaw, although i am quite sure that at this moment people are digging into this to find more candy and that worries me even more.
      0 Not allowed!

  12. #37
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by TheVisitors View Post
    Direct Admin does have an auto update options and my daemons are current.

    How they were in the far distant past is not so much a concern as were they are today. For example, cPanel not to along ago wasn't having all the issues they seem to be having today (repeatedly).
    Out of the box it does not auto update daemons and thus there are plenty of people out there with massively out of date directadmin installations. The directadmin panel it self updates itself by default but the daemons itself does not unless you specifically enable it.

    With that said, we have not perfected the technique yet, but we do have a flaw in directadmin... its just unique. So far we have been able to damage /etc/shadow multiple times as a user.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  13. #38
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by 040Hosting View Post
    i am quite sure that at this moment people are digging into this to find more candy and that worries me even more.
    More candy has been found by HawkHost...
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  14. #39
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by Steven View Post
    More candy has been found by HawkHost...
    Like i said ... i am not surprised
      0 Not allowed!

  15. #40
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771
    Quote Originally Posted by 040Hosting View Post
    Like i said ... i am not surprised
    just taking a guess:
    setuid perserved?
    ability to grant your mysql user root perms?
    insert into grant table via string concat and not escaped - sql injection?

    Is the code for backup obfuscated wouldnt mind taking a look if not?
    MattF - Since the start..
      0 Not allowed!

  16. #41
    Join Date
    Mar 2005
    Location
    Ten1/0/2
    Posts
    2,529
    Quote Originally Posted by MattF View Post
    just taking a guess:
    setuid perserved?
    ability to grant your mysql user root perms?
    insert into grant table via string concat and not escaped - sql injection?

    Is the code for backup obfuscated wouldnt mind taking a look if not?
    Well, since you sort of let the cat out of the bag..

    When reading this thread, I thought the same.

    While I have not tried yet, I have looked at the Mysql within a full backup - and on the face of it, it would be trivial to grant yourself full root access - I am not sure if this is parsed correctly before just being run at restore time....
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004
      0 Not allowed!

  17. #42
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501

    Re: cPanel Root Exploit - Read ANY File On The Server - They Say, Minor Issue...

    Quote Originally Posted by RRWH View Post
    Well, since you sort of let the cat out of the bag..

    When reading this thread, I thought the same.

    While I have not tried yet, I have looked at the Mysql within a full backup - and on the face of it, it would be trivial to grant yourself full root access - I am not sure if this is parsed correctly before just being run at restore time....
    I'm sure it's possible. They do try to filter GRANTS in those imported *.sql files however you can produce strange behaviour with little work.

    With the silliness of these particular bugs being referenced it's moot. It's easier to grab the /root/.my.cnf directly which is generated upon the cPanel install.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor
      0 Not allowed!

  18. #43
    I don't restore from untrusted sources. So, I can understand cPanel's view on this.

    On the other hand, I know Steven and Patrick just want to resolve this security issue. And in the real world many hosting companies are doing restores from untrusted sources. cPanel could help.

    I remember the symlink vulnerability and how it was an apache issue. Now cpanel has a patch for it. Any security problem that affects cpanel's ecosystem is a cpanel issue. It has to be. Sustainability.
      0 Not allowed!

  19. #44
    Quote Originally Posted by tomfrog View Post
    So, I can understand cPanel's view on this.
    Really? Your point of view is that you understand cpanel is the world's most popular control panel, used by thousands of companies with many hundreds of thousands of end-users...

    .... but you don't think it is common for those end-user to move from one cpanel provider to another by using a backup file?

    Because that appears to be cpanel's position.

    Quote Originally Posted by tomfrog View Post
    I don't restore from untrusted sources.
    So just to be clear, you are saying that if a new customer signs up with you, and then gives you their cpanel backup file from their current host... you would tell them, "We don't restore from untrusted sources".
    We are eNom PLATINUM PLUS resellers!
    Sign up today for an eNom.com reseller account with lowest possible pricing.
    * We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!
      0 Not allowed!

  20. #45
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by mrzippy View Post
    So just to be clear, you are saying that if a new customer signs up with you, and then gives you their cpanel backup file from their current host... you would tell them, "We don't restore from untrusted sources".
    Exactly! The notion that we shouldn't restore random archives because someone could tamper with them is insane. The real answer is to implement enough checks during the restore process to prevent someone from escalating their privileges.

    I've said this a dozen times and I'll say it again, there are direct competitors to cPanel who suffer from the exact same flaw. I will disclose those names (for credibility sake) in the near future but here are both of their responses to the exact same problem that cPanel suffers from:

    Vendor #1:

    "In my book there's no such thing as a "low" priority security bug. We're fast-tracking a release to address this."
    Vendor #2:

    "Confirmed and will be fixed ASAP. Thank you very much for your help!"
    Both of these vendors who are direct competitors to cPanel will have a fix out in less than a week from our first point of contact to notify them of such. That's how you handle this! You don't come up with some BULLSH*T response that we shouldn't restore untrusted archives. YOU FIX YOUR BROKEN SOFTWARE SO THAT THE EXPLOIT ISN'T POSSIBLE IN THE FIRST PLACE!

    You executives over at cPanel better be paying attention here, because everyone else has jumped to their feet to fix the same flaws you foolishly labelled as minor. If you think, I'm just saying this to make you guys look bad... reach out to one of us, and we'll forward you POC's for their control panels as well. I can't stress this enough, we're dead serious here. Other companies who suffer from the EXACT SAME FLAWS AS CPANEL have labelled it as a high priority fix. Why do you have to label it as a low? What's wrong with you!
      0 Not allowed!

  21. #46
    Join Date
    Jan 2004
    Posts
    593
    Patrick, what you fail to realize is that you can't prioritize someone else's tasks. You won't agree with everyone about everything.

    It being set to low priority is such a minor issue and you are clinging to that like they aren't listening and you believe they don't care.

    Bug report was filed, it was confirmed. Next step is to get over yourself and realize that cPanel doesn't care what priority you think it should be.

    Why did I say that you look like a fool? Because adults shouldn't act like children.

    To note, hosts or people running cPanel that can't properly admin a server shouldn't be doing it in the first place. Don't blame cPanel for making it easy for anyone to start a hosting company.
      0 Not allowed!

  22. #47
    Join Date
    Apr 2013
    Location
    Toronto, Canada
    Posts
    34
    +1 for the thought that it is your responsibility, as a host, to check what exists in a backup archive.

    If somebody provides a backup file with bad symbolic links, malware, spam tools etc. how is cPanel responsible for this? You should always check the contents of anything you upload on your own server.
      0 Not allowed!

  23. #48
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771

    The problem is, there are plenty of illiterate server operators, and the way cpanel is currently designed it enables people to take advantage of it.

    With that said, other control panels have resolved/are resolving this problem.
    cPanel is targeted at mainly illiterate server operators (I dont imply every user is in this bracket - just most), they [cPanel] know this, why they can start a certification program and even create a University brand on a day other than 1st April, it is comical with atrocities they commit, it is like North Korea starting the People's freedom awards. Anyway..

    With this in mind they need to accept responsibility for this and get a proper fix out. The best PR is to accept as High/Critical and commit to releasing a patch whilst sending a warning to customers in the meantime. Some companies just dont get security and try to downplay issues at all cost, reminds of a VPS company that was launching VPSes with same default username/password in public IP space, their response to how crazy it was to do this was to point to other companies doing it and "i will notify your ISP" if you go to lengths of publishing a tiny python script to illustrate, suspect they noted it as "low" and carried on.

    Let this be a lesson in how not to handle security issues. I suspect the bigger solution is do minimal work with a lot verification under root (creation, mysql perms via api rather than attempt to sanitize raw sql dumps) and then delegate to a lower level user (that of the account) to tar/gz the user data, kind of like how Heroku works..
    Last edited by MattF; 05-22-2013 at 08:50 AM.
      0 Not allowed!

  24. #49
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771
    Other stuff to think about what about addons/alias domains and their relation to local mailhosts, could I bastardize the backup in such a way that outlook.com etc.. is added to local mail processing thereby capturing any outbound email relay via the server from other users? Presumably via the restore route ownership of domain is not validated as in the GUI?
      0 Not allowed!

  25. #50
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by speckl View Post
    Patrick, what you fail to realize is that you can't prioritize someone else's tasks. You won't agree with everyone about everything.

    It being set to low priority is such a minor issue and you are clinging to that like they aren't listening and you believe they don't care.

    Bug report was filed, it was confirmed. Next step is to get over yourself and realize that cPanel doesn't care what priority you think it should be.

    Why did I say that you look like a fool? Because adults shouldn't act like children.

    To note, hosts or people running cPanel that can't properly admin a server shouldn't be doing it in the first place. Don't blame cPanel for making it easy for anyone to start a hosting company.
    The overwhelming majority of people see this for what it is which is encouraging because it assures me that our industry isn't totally filled with brain dead idiots who probably couldn't admin a box if it weren't for cPanel in the first place... none the less, thank you for your insight.
      0 Not allowed!

Page 2 of 6 FirstFirst 12345 ... LastLast

Similar Threads

  1. Whats needed for website+minor file server?
    By fdmu876 in forum Web Hosting
    Replies: 8
    Last Post: 04-30-2012, 01:50 AM
  2. php server side include exploit --please read--
    By jessex in forum Programming Discussion
    Replies: 29
    Last Post: 11-29-2011, 01:39 PM
  3. Websites don't work; Issue with failed: Read-only file system
    By Urosino in forum Hosting Security and Technology
    Replies: 19
    Last Post: 08-31-2010, 05:25 AM
  4. Cpanel root exploit not really patched. READ
    By BrentOfHG in forum Web Hosting
    Replies: 92
    Last Post: 09-25-2006, 10:56 PM
  5. Anyone know what this remote root exploit does?
    By pmak0 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 05-18-2005, 10:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •