Results 1 to 3 of 3
  1. #1

    Thumbs up Update on the recent Soholaunch WHM Installer patch

    Hi Everyone,

    Jack here, from Soholaunch (the sitebuilder). Here is more information about the recent security patch that Patrick @ rack911 helped us develop.

    First, please remember: The vulnerability did not affect the Soholaunch sitebuilder itself. The issue was in a free custom plugin for WHM used to INSTALL the Soholaunch sitebuilder. Most of you, I think, are installing Soholaunch through Fantastico, Scriptaculous, SimpleScripts, Installatron etc. --- You’re all fine.

    About the free WHM installer script (affected by the patch)
    We released a custom WHM installer script a few years ago as free option for hosts who didn’t want to go the Fantastico/Scriptaculous/etc route. The WHM installer script allows you to manually install Soholaunch (from an admin perspective) on any account on your server, one-at-a-time. Our custom WHM installer was appreciated by a few web developers (who typically install Soholaunch as a CMS for their clients, one at a time), but most of our web host partners prefer to stick with installing Soho through the panels (Fantastico, etc.).

    So again, your customer websites were not directly vulnerable, since the issue was in the whm installer script, not the sitebuilder.

    About the patch (for the free WHM installer script)
    If you are using the WHM installer you can update to the latest patched version (v27) easily via the installer’s auto-update feature. If you use Fantastico or Scriptaculous you don’t need to do anything.

    Vulnerability details
    I’m going to try to explain the patch in plain English, based on what our developer Cameron (who worked with Patrick from rack911 on this) has told me.

    To give you some reassurance…

    1. To exploit this vulnerability required the exploiter to have a valid cpanel account with shell access, then request the server administrator to install soholaunch using the whm plugin.
    2. Most cpanel servers do not allow cpanel accounts to make hard links to system files and were not susceptible.

    So those are the details
    If you have more questions, feel free to PM me here or send me an email. Big thanks to Patrick at Rack911 for spotting this for us.

    P.S. - Note to mods: The original thread is locked, otherwise I would have posted this as a reply there. Feel free to merge this thread with Patrick's original vulnerability report, or kill it and ask me to repost.
    Jack Mathis
    Soholaunch Website Builder
    Website Building Made Simple.

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Just a few points:

    1. Shell access is not needed for our exploit(s) to work. The same exploit could be done via cron, via PHP, via perl. When we give proof of concepts to developers, for local exploits, we use SSH for the sake of simplicity.

    2. Your comment that "cPanel servers do not allow cPanel accounts to make hard links" is false. The ability to create sym or hard links has NOTHING to do with cPanel and everything to do with the operating system. With all due respect, you have no idea what you are talking about and/or you were given wrong information.

    Please stop trying to spread misinformation and downplay the severity of our exploits. All cPanel hosts that had the WHM plugin were vulnerable to this and many things could have been done with our exploit, including root access and/or rendering a server inoperable. If you dispute that, then you will have no problems with us full disclosing the proof of concepts to let the community decide who is being more truthful.

    We're not here to cause problems for you or any developers but we cannot tolerate misinformation being given to the same community that we are trying to protect.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    To touch base on Patricks comment about Hardlinks/Symlinks.
    This is a kernel level function, not a cPanel function. The ability to prevent hardlinks from being created was introduced in kernel 3.6 ( http://git.kernel.org/cgit/linux/ker...d11cd4c05d61d7 ). Any run on the mill centos server has no restrictions on creating *links.

    Even if someone has cloudlinux + cagefs installed, root access to the server could have still be obtained since the plugin runs as root which is outside of the virtualized environment.

    In the end, it doesn't matter if 1 or 5k people have this plugin installed, a security hole is a security hole so theres no need to downplay the severity of it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. Update RPM Package Installer in whm? Can I do that, how?
    By gurika in forum Hosting Security and Technology
    Replies: 3
    Last Post: 04-18-2005, 11:17 PM
  2. Cgiwrap Update 2.0.1 Patch
    By Angel78 in forum Dedicated Server
    Replies: 2
    Last Post: 03-17-2003, 10:35 AM
  3. MySQL 3.23.55 Update (Security Patch)
    By gpan in forum Hosting Security and Technology
    Replies: 0
    Last Post: 02-09-2003, 03:05 AM
  4. GRSecurity Patch Update
    By naif in forum Dedicated Server
    Replies: 6
    Last Post: 06-14-2002, 08:42 PM
  5. Update patch for raq
    By kickster in forum Dedicated Server
    Replies: 1
    Last Post: 04-13-2001, 06:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •