• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

Security warning to all hosting providers [Merged]

W

warning

New Member
This is a courtesy warning to any hosts who would need to know this!

I just discovered a very serious security hole allowing anyone to easily modify the files of any web hosting account, at any hosting service provider where Cpanel is the control panel and the "File Manger" feature is enabled!

For obvious reasons, I am not going to publicly post any information or details on the security hole itself but I just wanted to warn all the hosts around here who are currently using Cpanel and have the "File Manager" feature enabled.

To put this discovery to the test, I have successfully hacked and then unhacked more than 50 accounts at many different hosting companies where in each, we made small changes to hosting account files and then removed the changes a few seconds later just as a test.

Any host fitting the above profile may want to consider forcing their hosting members to use FTP to upload files for the time being.
 
Hi! Please hack me! Oh please, please. . . Will yah, will ya huh? Oh please pick me, pick me . . . Pleassssssseeeeeeeeee. . . :p
 
Let me ask this... we do we rely on the Control Panel that we offer USERS?

If your server relies on the security of a bunch of uneducated, GED holding, Non-english speaking fools, who pulled off writing a decent "user friendly" control panel.... then you need to get out of this business... immediately and forever....

Thank you for your support.
 
I'll confirm that the fear mongering going on here is valid. There is a security hole when using the HTML Editor in cPanel.

cPanel will most likely issue a fix for it soon. What we can do for now is remove all the vulnerable files and disable access to the vulnerable feature.

I have created the following script for doing this:

http://www.lifelesspeople.com/script.sh

Note: You must edit it before the script will do anything. Take note of the license and comments in the script. Use at your own risk.

hottweelz: Your copy of cPanel is just as vulnerable as any other. Your server can be hacked just as easily as any other. Be 100% certain you know what you are talking about before posting. ;)
 
hottweelz said:
I'm 100% certain you're not getting in mine.

I invite you to try.
Click to expand...

I'll pass. ;)

I just wanted to note to everyone reading this that you are in fact using cPanel by www.cpanel.net just like everyone else. Your control panel is no more or less secure than anyone else running the exact same control panel.
 
LP-Trel said:
I have created the following script for doing this:

http://www.lifelesspeople.com/script.sh

Note: You must edit it before the script will do anything. Take note of the license and comments in the script. Use at your own risk.
Click to expand...

Exploit is not a serious issue for us - we use phpsuexec - so you can't access the files. Listing is prevented by mod_security.

There is also a problem with the fix (it is safe but):
#chattr +i WysiwygPro

makes sure that it can't be overwritten - and (I think) cpanel updates won't work anymore. Thats my 2 cents.
 
Craig said:
Exploit is not a serious issue for us - we use phpsuexec - so you can't access the files. Listing is prevented by mod_security.

There is also a problem with the fix (it is safe but):
#chattr +i WysiwygPro

makes sure that it can't be overwritten - and (I think) cpanel updates won't work anymore. Thats my 2 cents.
Click to expand...

You'll notice I left it commented. ;) Everyone needs to understand each command before it is run and what it will do.

The reason I put that there is to protect the directory from being enabled again after an automatic daily upcp run before there is an update available. :)
 
Why would someone register with no details - try to spread panic - yada yada, Jan why not publish the IP - name and shame.

LP - good tip for the dodgy bits LOL

If CPanel has known probs how many hosts are going to be in a blind panic - all software has probs, but......
 
There does appear to be some truth to it.
There's a thread at WHT in the control panel board. But it seems to affect postgresql installs and not MySQL.
 
Rick probably the same panic reaction - look at the CPanel user base, the same person that posted "anonymously" is the gift of information - I think not.
 
Sorry if no one likes my opinion, althought that's typical.

If this is our biggest concern with CPanel. Then we have issues.
 
You must log in or register to reply here.
Back
Top