Update on the recent Soholaunch WHM Installer patch
Jack here, from Soholaunch (the sitebuilder). Here is more information about the recent security patch that Patrick @ rack911 helped us develop.
First, please remember: The vulnerability did not affect the Soholaunch sitebuilder itself. The issue was in a free custom plugin for WHM used to INSTALL the Soholaunch sitebuilder. Most of you, I think, are installing Soholaunch through Fantastico, Scriptaculous, SimpleScripts, Installatron etc. --- You’re all fine.
About the free WHM installer script (affected by the patch)
We released a custom WHM installer script a few years ago as free option for hosts who didn’t want to go the Fantastico/Scriptaculous/etc route. The WHM installer script allows you to manually install Soholaunch (from an admin perspective) on any account on your server, one-at-a-time. Our custom WHM installer was appreciated by a few web developers (who typically install Soholaunch as a CMS for their clients, one at a time), but most of our web host partners prefer to stick with installing Soho through the panels (Fantastico, etc.).
So again, your customer websites were not directly vulnerable, since the issue was in the whm installer script, not the sitebuilder.
About the patch (for the free WHM installer script)
If you are using the WHM installer you can update to the latest patched version (v27) easily via the installer’s auto-update feature. If you use Fantastico or Scriptaculous you don’t need to do anything.
I’m going to try to explain the patch in plain English, based on what our developer Cameron (who worked with Patrick from rack911 on this) has told me.
To give you some reassurance…
1. To exploit this vulnerability required the exploiter to have a valid cpanel account with shell access, then request the server administrator to install soholaunch using the whm plugin.
2. Most cpanel servers do not allow cpanel accounts to make hard links to system files and were not susceptible.
So those are the details
If you have more questions, feel free to PM me here or send me an email. Big thanks to Patrick at Rack911 for spotting this for us.
P.S. - Note to mods: The original thread is locked, otherwise I would have posted this as a reply there. Feel free to merge this thread with Patrick's original vulnerability report, or kill it and ask me to repost.
1. Shell access is not needed for our exploit(s) to work. The same exploit could be done via cron, via PHP, via perl. When we give proof of concepts to developers, for local exploits, we use SSH for the sake of simplicity.
2. Your comment that "cPanel servers do not allow cPanel accounts to make hard links" is false. The ability to create sym or hard links has NOTHING to do with cPanel and everything to do with the operating system. With all due respect, you have no idea what you are talking about and/or you were given wrong information.
Please stop trying to spread misinformation and downplay the severity of our exploits. All cPanel hosts that had the WHM plugin were vulnerable to this and many things could have been done with our exploit, including root access and/or rendering a server inoperable. If you dispute that, then you will have no problems with us full disclosing the proof of concepts to let the community decide who is being more truthful.
We're not here to cause problems for you or any developers but we cannot tolerate misinformation being given to the same community that we are trying to protect.
To touch base on Patricks comment about Hardlinks/Symlinks.
This is a kernel level function, not a cPanel function. The ability to prevent hardlinks from being created was introduced in kernel 3.6 ( http://git.kernel.org/cgit/linux/ker...d11cd4c05d61d7 ). Any run on the mill centos server has no restrictions on creating *links.
Even if someone has cloudlinux + cagefs installed, root access to the server could have still be obtained since the plugin runs as root which is outside of the virtualized environment.
In the end, it doesn't matter if 1 or 5k people have this plugin installed, a security hole is a security hole so theres no need to downplay the severity of it.