• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

Security warning to all hosting providers [Merged]

cPanel Could Be Hacked Worldwide

From Clubhostcity.com Forums

Posted: Admin @ Sat Feb 25, 2006 2:15 pm

There is no more "File Manager" on any web hosting accounts
and that includes both PAID and FREE web hosting accounts !!!!!

Last week, a bug was discovered in the File Manager system that prevented anyone from creating new folders which is little more than an annoyance and nothing more.

Meanwhile, the bug in the new Cpanel version and their delay in getting out a fix for the problem caused us to do our own research into the issue to see if we could fix it ourselves.

Instead of finding a problem to the file creation bug, we instead accidentally discovered a massively enormous security problem with the file manager! We discovered a way to edit any files, on any web hosting account, at any service provider running Cpanel WITHOUT THE NEED TO LOGIN TO THE ACCOUNT !!!!!

Basically in a nutshell, we have discovered a way to hack every single Cpanel hosting account on the planet since everyone has the file manager feature enabled on their hosting services !!!!!

Based on this new discovery and coupled with the other unrelated bug, we are discontining support for the FILE MANAGER feature at Clubhost City for security reasons.
Click to expand...
 
We should all send mass emails to cpanel until the fix the mess, what a terrible bug to have, get into the root and do damage :(
 
LP-Trel said:
I'll confirm that the fear mongering going on here is valid. There is a security hole when using the HTML Editor in cPanel.
Click to expand...

Craig said:
Exploit is not a serious issue for us - we use phpsuexec - so you can't access the files. Listing is prevented by mod_security.
Click to expand...
LP-Trel and Craig are both heading up the correct direction but are both
apparently unaware of another separate problem that is very closely
related to the known HTML Editor security problem mentioned above
and is another aspect of it that fortunately seems to be missed by
most people at this point ... very fortunately!

We can confirm the security hole being reported in this thread as we
know precisely what the exploit is and also how to use it. I will say
that it does not matter whether you have phpSuExec enabled or not
for this one although phpSuExec would help with logging the attacks ....

I'm not going to say anything more than what has already been said
because I do not want to tell all the hackers of the world precisely
what they need to do to hack all the Cpanel servers.

I'm sure that Cpanel will probably have a fix out for the problem soon
since this one would obviously register as a very high priority.
 
Who uses the file manager?

My paid host disables the file manager, simply because FTP is a much more easier, faster, and more powerful way of doing things.
 
Having had a reliable source inform me that this is not just a pile of! Makes good reason to take the warning.

Double check folks.

I know it's going back on myself but - well I was wrong so I was wrong :)
 
I second that.

Although it is possible, it's not plausable that while CHC was looking around the cPanel source they found a huge security hole.

Show me a cPanel it's happened to and I'll believe it.
 
Last edited:
LP - good tip for the dodgy bits LOL
Click to expand...

I don't quite understand. :)

LP-Trel and Craig are both heading up the correct direction but are both
apparently unaware of another separate problem that is very closely
related to the known HTML Editor security problem mentioned above
and is another aspect of it that fortunately seems to be missed by
most people at this point ... very fortunately!
Click to expand...

Yet another reason why the kill the fly with a bazooka approach works well sometimes. ;)
 
Sounds like complete BS...

Let me tell you what I think happened:

The supposed hosting company that you got that info from, well look at it, it does not even look like a hosting company. I think that the person who runs that site used to have a reseller account and could create other sub-accounts on the reseller account, and for some reason the person they were getting their reseller from either went out of business or they decided to drop this account due to overselling maybe?

And now this person has just a basic hosting account with who ever is hosting their website, and they now realize that they cannot offer additional cpanel accounts to anyone else, but however they have unlimited ftp accounts, therefore they can offer space because they can just create a new ftp account, and call it a hosting account.

That is what I think happened, therefore complete BS.

One way to find out for sure is if anyone has upgraded to the latest cpanel, go into it and use your file manager, see if you can create a new folder or not, if not then this is possibly legit, if you can then this just re-enforces how screwed up this is.

Thanks for listening,

Peace_Hope
Alexander
 
Peace_hope,

Nowhere in your incoherent ramblings did you even come close to anything that could be considered a rational thought. Everyone in this forum is now dumber after reading it. I award you no points, and may God have mercy on your soul.
 
Tree said:
Peace_hope,

Nowhere in your incoherent ramblings did you even come close to anything that could be considered a rational thought. Everyone in this forum is now dumber after reading it. I award you no points, and may God have mercy on your soul.
Click to expand...

The part of the story I don't like, is that the boy stops looking for his dog after an hour. He just sits on his porch like a goon, he didn't put up posters or anything. That boy's gotta think "You got a pet, you got a responsibility! You can't just look for an hour and call it quits. So you get your --- out there and you find that ----in' dog!"
 
You must log in or register to reply here.
Back
Top