Results 26 to 50 of 145
-
05-21-2013, 05:58 PM #26Web Hosting Master
- Join Date
- Nov 2011
- Location
- Harrisburg, PA
- Posts
- 2,074
Translation: "Although we've been in the control panel game for over a decade, it only just now occurred to us that customers sometimes switch hosts."
I'm glad to see cPanel finally responding, though I'm disgusted and concerned it took the threat of public disclosure to compel action. We are now looking for an alternate panel.▐█▌Fresh Roasted Hosting :: High-performance Harrisburg web hosting since 2012!
▐█▌"The only thing better than the world's best customer service is never needing them in the first place."
▐█▌Shared :: VPS :: Reseller :: Dedicated :: Co-Location :: SSL Certificates0
-
05-21-2013, 06:00 PM #27Web Hosting Evangelist
- Join Date
- Apr 2012
- Location
- Toronto, Canada
- Posts
- 501
0
-
05-21-2013, 08:11 PM #28Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
0
-
05-21-2013, 08:15 PM #29Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
We are moving forward with the POC tomorrow.
An explanation will be made at that time for our reasoning to move forward despite cPanel issuing a statement. This is something very unique but we need to hold cPanel accountable... and making statements and promises are great and all, but we want a fix for this "minor" flaw. (Surely it doesn't take an entire week to fix something so minor... but we shall see come tomorrow.)
If companies want to play around and downgrade the severity of flaws... and take years to make fixes and then blow smoke up our arses as if they didn't understand the restore / copy feature was being used extensively with "untrusted archives" then they need to be held accountable or in this case, burned at the stake. We're done playing around with cPanel and will treat future advisories with them a little differently until they start acting responsible like their direct competitors have with the same vulnerability.0
-
05-21-2013, 10:21 PM #30Web Hosting Master
- Join Date
- Oct 2010
- Location
- My world u just live here
- Posts
- 1,410
Yet another reason why I always suggest Direct Admin
- More secure
- More up to date (current)
- Uses fewer resources
- Support more OS options
- You can OWN it thus saving money from leasing it like you do with cPanel
- And it offers the same general functions most end users look for
- Easy to customize (not just branding, but you can install outside of stock)
- Better support which takes things seriously
0
-
05-21-2013, 10:57 PM #31Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Be careful with saying the bolded statement.
They do things 'right', but their history has not always been secure.
With that said 95% of the DA servers we see have grossly out of date daemons because it doesn't auto update them like cpanel does and a large amount of people who use it don't know you need to.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-21-2013, 11:15 PM #32Web Hosting Master
- Join Date
- Jan 2004
- Posts
- 593
I believe you guys are over-reacting. You found a bug that you think is a big deal when really it's not.
If you run a cPanel server, it is your responsibility to make sure it is secure and stays secure. Importing any information is a risk. If you don't scan the account after restore then don't blame cPanel for your lack of security practices.
I agree with cPanel that this issue is minor. There are much bigger issues that are more important to be dealing with.
Congrats on finding a potential security issue, but stop yelling at cPanel for them not agreeing with what you think is a big deal. You look foolish right now.0
-
05-21-2013, 11:19 PM #33Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
You are wrong, countless hosts on this forum restore backups every day without any thoughts to the security of it. With one of these backups you can obtain the root id_dsa/rsa key and login to the server with root directly which many hosts allow on their servers.
The problem is, there are plenty of illiterate server operators, and the way cpanel is currently designed it enables people to take advantage of it.
With that said, other control panels have resolved/are resolving this problem.Last edited by Steven; 05-21-2013 at 11:24 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-21-2013, 11:27 PM #34Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
It's not a potential security issue, it is a real security flaw that would allow us to compromise many hosting providers who actively restore random archives every single day.
Other control panels suffer from the same vulnerability and they have already rated the issue as high... the only people who dispute that rating are idiots who don't understand the software that they are using and/or developed.0
-
05-21-2013, 11:43 PM #35Web Hosting Master
- Join Date
- Oct 2010
- Location
- My world u just live here
- Posts
- 1,410
0
-
05-21-2013, 11:47 PM #36Web Hosting Master
- Join Date
- May 2006
- Location
- EU & USA
- Posts
- 3,684
It makes you laugh ? i makes me cry (well not really, but sad for sure) ... all the above doesnt surprise me one bit, always have thought the backup/restore system was not what it should be.
But to be *smacked* in the face with 'recently' we have been made aware makes me think about IPv6 in cPanel again... which they recently still not added to cPanel ; because they are probably Recently been made aware this is urgent too ?
hey , not that that is security related, but shows how fast things go in cPanel and i truly hope they will get their act together and get this 'high priority' project of the ground FAST or at the VERY least fix this security flaw, although i am quite sure that at this moment people are digging into this to find more candy and that worries me even more.0
-
05-21-2013, 11:48 PM #37Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Out of the box it does not auto update daemons and thus there are plenty of people out there with massively out of date directadmin installations. The directadmin panel it self updates itself by default but the daemons itself does not unless you specifically enable it.
With that said, we have not perfected the technique yet, but we do have a flaw in directadmin... its just unique. So far we have been able to damage /etc/shadow multiple times as a user.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-21-2013, 11:53 PM #38Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
05-21-2013, 11:57 PM #39Web Hosting Master
- Join Date
- May 2006
- Location
- EU & USA
- Posts
- 3,684
0
-
05-22-2013, 01:42 AM #40Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
0
-
05-22-2013, 02:49 AM #41Web Hosting Master
- Join Date
- Mar 2005
- Location
- Ten1/0/2
- Posts
- 2,529
Well, since you sort of let the cat out of the bag..
When reading this thread, I thought the same.
While I have not tried yet, I have looked at the Mysql within a full backup - and on the face of it, it would be trivial to grant yourself full root access - I am not sure if this is parsed correctly before just being run at restore time....CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
Running Linux since 1.0.8 Kernel!
Providing Internet Services since 1995 and Hosting Since 20040
-
05-22-2013, 03:12 AM #42Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
Re: cPanel Root Exploit - Read ANY File On The Server - They Say, Minor Issue...
I'm sure it's possible. They do try to filter GRANTS in those imported *.sql files however you can produce strange behaviour with little work.
With the silliness of these particular bugs being referenced it's moot. It's easier to grab the /root/.my.cnf directly which is generated upon the cPanel install.█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor0
-
05-22-2013, 03:18 AM #43WHT Addict
- Join Date
- Jan 2013
- Posts
- 115
I don't restore from untrusted sources. So, I can understand cPanel's view on this.
On the other hand, I know Steven and Patrick just want to resolve this security issue. And in the real world many hosting companies are doing restores from untrusted sources. cPanel could help.
I remember the symlink vulnerability and how it was an apache issue. Now cpanel has a patch for it. Any security problem that affects cpanel's ecosystem is a cpanel issue. It has to be. Sustainability.0
-
05-22-2013, 04:06 AM #44Mr. Awesome
- Join Date
- Jul 2002
- Posts
- 6,347
Really? Your point of view is that you understand cpanel is the world's most popular control panel, used by thousands of companies with many hundreds of thousands of end-users...
.... but you don't think it is common for those end-user to move from one cpanel provider to another by using a backup file?
Because that appears to be cpanel's position.
So just to be clear, you are saying that if a new customer signs up with you, and then gives you their cpanel backup file from their current host... you would tell them, "We don't restore from untrusted sources".We are eNom PLATINUM PLUS resellers!
Sign up today for an eNom.com reseller account with lowest possible pricing.
* We provide support and service to over 4275 happy eNom domain name and SSL certificate resellers!0
-
05-22-2013, 07:29 AM #45Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Exactly! The notion that we shouldn't restore random archives because someone could tamper with them is insane. The real answer is to implement enough checks during the restore process to prevent someone from escalating their privileges.
I've said this a dozen times and I'll say it again, there are direct competitors to cPanel who suffer from the exact same flaw. I will disclose those names (for credibility sake) in the near future but here are both of their responses to the exact same problem that cPanel suffers from:
Vendor #1:
"In my book there's no such thing as a "low" priority security bug. We're fast-tracking a release to address this."Vendor #2:
"Confirmed and will be fixed ASAP. Thank you very much for your help!"
You executives over at cPanel better be paying attention here, because everyone else has jumped to their feet to fix the same flaws you foolishly labelled as minor. If you think, I'm just saying this to make you guys look bad... reach out to one of us, and we'll forward you POC's for their control panels as well. I can't stress this enough, we're dead serious here. Other companies who suffer from the EXACT SAME FLAWS AS CPANEL have labelled it as a high priority fix. Why do you have to label it as a low? What's wrong with you!0
-
05-22-2013, 08:41 AM #46Web Hosting Master
- Join Date
- Jan 2004
- Posts
- 593
Patrick, what you fail to realize is that you can't prioritize someone else's tasks. You won't agree with everyone about everything.
It being set to low priority is such a minor issue and you are clinging to that like they aren't listening and you believe they don't care.
Bug report was filed, it was confirmed. Next step is to get over yourself and realize that cPanel doesn't care what priority you think it should be.
Why did I say that you look like a fool? Because adults shouldn't act like children.
To note, hosts or people running cPanel that can't properly admin a server shouldn't be doing it in the first place. Don't blame cPanel for making it easy for anyone to start a hosting company.0
-
05-22-2013, 08:44 AM #47Junior Guru Wannabe
- Join Date
- Apr 2013
- Location
- Toronto, Canada
- Posts
- 34
+1 for the thought that it is your responsibility, as a host, to check what exists in a backup archive.
If somebody provides a backup file with bad symbolic links, malware, spam tools etc. how is cPanel responsible for this? You should always check the contents of anything you upload on your own server.0
-
05-22-2013, 08:47 AM #48Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
The problem is, there are plenty of illiterate server operators, and the way cpanel is currently designed it enables people to take advantage of it.
With that said, other control panels have resolved/are resolving this problem.
With this in mind they need to accept responsibility for this and get a proper fix out. The best PR is to accept as High/Critical and commit to releasing a patch whilst sending a warning to customers in the meantime. Some companies just dont get security and try to downplay issues at all cost, reminds of a VPS company that was launching VPSes with same default username/password in public IP space, their response to how crazy it was to do this was to point to other companies doing it and "i will notify your ISP" if you go to lengths of publishing a tiny python script to illustrate, suspect they noted it as "low" and carried on.
Let this be a lesson in how not to handle security issues. I suspect the bigger solution is do minimal work with a lot verification under root (creation, mysql perms via api rather than attempt to sanitize raw sql dumps) and then delegate to a lower level user (that of the account) to tar/gz the user data, kind of like how Heroku works..Last edited by MattF; 05-22-2013 at 08:50 AM.
0
-
05-22-2013, 08:57 AM #49Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
Other stuff to think about what about addons/alias domains and their relation to local mailhosts, could I bastardize the backup in such a way that outlook.com etc.. is added to local mail processing thereby capturing any outbound email relay via the server from other users? Presumably via the restore route ownership of domain is not validated as in the GUI?
0
-
05-22-2013, 08:58 AM #50Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
The overwhelming majority of people see this for what it is which is encouraging because it assures me that our industry isn't totally filled with brain dead idiots who probably couldn't admin a box if it weren't for cPanel in the first place... none the less, thank you for your insight.
0
Similar Threads
-
Whats needed for website+minor file server?
By fdmu876 in forum Web HostingReplies: 8Last Post: 04-30-2012, 01:50 AM -
php server side include exploit --please read--
By jessex in forum Programming DiscussionReplies: 29Last Post: 11-29-2011, 01:39 PM -
Websites don't work; Issue with failed: Read-only file system
By Urosino in forum Hosting Security and TechnologyReplies: 19Last Post: 08-31-2010, 05:25 AM -
Cpanel root exploit not really patched. READ
By BrentOfHG in forum Web HostingReplies: 92Last Post: 09-25-2006, 10:56 PM -
Anyone know what this remote root exploit does?
By pmak0 in forum Hosting Security and TechnologyReplies: 5Last Post: 05-18-2005, 10:46 PM