Results 1 to 9 of 9
  1. #1
    Join Date
    Feb 2003
    Posts
    286

    cPanel Vulnerability Found - Upgrade Recommended [MERGED]

    Just came through on the RSS feeds...

    Several potential security issues have been identified with cPanel software and Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and 11.22.2 are susceptible to security issues, which range in severity from trivial to medium-critical. Along with the discovery of these potential issues, cPanel has released a new security tool to provide users with protection from XSRF attacks.
    All STABLE and RELEASE users are strongly urged to update to their respective 11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3 release. No releases are deemed susceptible to severe, critical or root access vulnerabilities.
    http://blog.cpanel.net/?p=39

  2. #2
    Join Date
    Apr 2004
    Location
    Singapore
    Posts
    1,506
    Another round of updates needed to be done again
    tanfwc
    Singapore Managed Colocation
    Singapore BGP Announcement

  3. #3
    Join Date
    Mar 2008
    Posts
    72

    cPanel Vulnerability Found - Upgrade Recommended

    Several potential security issues have been identified with cPanel software and
    Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and
    11.22.2 are susceptible to security issues, which range in severity from
    trivial to medium-critical. Along with the discovery of these potential issues,
    cPanel has released a new security tool to provide users with protection from
    XSRF attacks.



    Update Advisory
    ==============================
    All STABLE and RELEASE users are strongly urged to update to their respective
    11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3
    release. No releases are deemed susceptible to severe, critical or root access
    vulnerabilities.


    XSRF Protection
    ==============================
    cPanel has also introduced a tool designed to protect against a category of
    attacks known as cross-site request forgery (XSRF). This tool will validate the
    browser referrer information against an approved list of domains.

    The list of approved domains is automatically determined according to the
    system's configuration. Any blocked requests are presented to the end user for
    approval. This additional step will minimize disruption of workflow while
    protecting the user from an outside XSRF attack. This check will not prevent
    bookmarked links in modern browsers from working normally.

    XSRF protection is not enabled by default. It is controlled via WHM's Tweak
    Settings under the Security heading. The protection may also be enabled
    manually by adding the following line to the end of /var/cpanel/cpanel.config:

    referrersafety=1

    and restarting cpsrvd by executing /usr/local/cpanel/startup.



    Regards,
    Rob

  4. #4
    Join Date
    Jul 2004
    Location
    Bharat
    Posts
    155
    No releases are deemed susceptible to severe, critical or root access vulnerabilities.

  5. #5
    Join Date
    Sep 2004
    Posts
    368
    but may break integration with other systems, login applications, and billing software.
    Online power for online people!

  6. #6
    Join Date
    Jan 2004
    Location
    Oztrayla Mate!
    Posts
    572
    Its amazing how many cPanel exploits keep cropping up, you would think after so many years it would be rock solid by now.
    Great Host = WiredTree.com Managed VPS Hosting

  7. #7
    Join Date
    Dec 2005
    Posts
    3,077
    When was this information released? There was a horde exploit over a month ago now and a fix was released on the day, is this reffering to the same one?

  8. #8
    Join Date
    Sep 2007
    Location
    Vijayawada
    Posts
    185
    No, it is a new one, released on May 1st.
    http://blog.cpanel.net/?p=39
    TUXG Hosting - shared hosting simplified
    Linux | BSD ~ Joomla | Drupal
    o 99.9% Uptime o Anytime Phone Support o 30-day Moneyback

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Quote Originally Posted by 1boss1 View Post
    Its amazing how many cPanel exploits keep cropping up, you would think after so many years it would be rock solid by now.
    There are more (scarier) exploits that the public never finds out about, but silently gets fixed for the greater of good.

    As for your second comment, I would have to disagree. With ever changing software, new features being added and what not, there is always going to be an increased chance of security flaws introduced into the software.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •