CPanel Vulnerability Found - Upgrade Recommended
May 2, 2008
Just came through on the RSS feeds...
Quote:
Several potential security issues have been identified with cPanel software and Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and 11.22.2 are susceptible to security issues, which range in severity from trivial to medium-critical. Along with the discovery of these potential issues, cPanel has released a new security tool to provide users with protection from XSRF attacks.
Quote:
All STABLE and RELEASE users are strongly urged to update to their respective 11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3 release. No releases are deemed susceptible to severe, critical or root access vulnerabilities.
[url]
View 8 Replies
ADVERTISEMENT
Mar 7, 2008
An arbitrary file inclusion vulnerability has been discovered in the Horde
webmail application. At present, we can confirm that this security
vulnerability in question affects Horde 3.1.6 and earlier. Based on
incomplete information at this time, we also believe this affects Horde
Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware
at this time).
cPanel customers should update their cPanel and WHM servers immediately to
prevent any chance of compromise. The patch will be available in builds
11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated
builds will be available immediately to all fast update servers. The
builds will be available to all other update servers within one hour of
this posting.
To check which version of cPanel and WHM is on your server, simply log
into WebHost Manager (WHM) and look in the top right corner, or execute
the following command from the command line as root:
/usr/local/cpanel/cpanel -V
You can upgrade your server by navigating to 'cPanel' -> 'Upgrade to
Latest Version' in WebHost Manager or by executing the following from the
command line as root:
/scripts/upcp
It is recommended that all use of Horde 3.1.6 and earlier be stopped (on
cPanel and non-cPanel systems alike) until Horde updates can be applied.
You can disable Horde on your cPanel system by unchecking the box next to
'Server Configuration' -> 'Tweak Settings' -> 'Mail' -> 'Horde Webmail'
within WHM, and saving the page with the new settings.
View 14 Replies
View Related
Jul 7, 2014
my Plesk 12 upgrade went very smoothly. There is only one domain that I can not access from within the Plesk panel (it happens to be my primary domain). I get the following error:
Internal error: The site with UUID "54797500-0c96-d851-03e5-92b81c643cb3" was not found.
MessageThe site with UUID "54797500-0c96-d851-03e5-92b81c643cb3" was not found.
File Site.php
Line76
TypeSB_Facade_Exception_NotFound
View 3 Replies
View Related
Jun 19, 2014
After upgrading Plesk today the panel is reachable however the content area displays the message "File not found." for all pages.
View 6 Replies
View Related
Jul 11, 2014
Upgrade from 11.5 reported it had completed but when I log in, I get the grey bar on the left with various options - Hosting Services, Tools & Settings etc. (only Profile & Preferences works) and a main white screen with the words 'File Not Found' in large font black lettering.
see attached screen shot and log file.
trying to restart psa gives the following
[root@eateasy /]# /etc/init.d/psa start
Starting psa... Starting sw-engine-fpm: done
Starting xinetd service... done
Starting sw-cp-server service... failed
[Code].....
View 1 Replies
View Related
Mar 13, 2007
[url]
cPanel Multiple Local File Include Vulnerabilities
Bugtraq ID: 22915
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Mar 11 2007 12:00AM
Updated: Mar 12 2007 04:54PM
Credit: cyb3rt & 020 are credited with the discovery of these vulnerabilities.
Vulnerable: cPanel cPanel 10.9 build 134
cPanel cPanel 10.9 build 125
cPanel cPanel 10.9
View 2 Replies
View Related
May 29, 2007
I'm wondering if this is true:
[url]
Something like:
[url]
View 2 Replies
View Related
Oct 6, 2008
I need a VPS with Litespeed, WHM/cPanel, about 2GB of space and unlimited domains. I'm looking for speed and security, not price. Eventually I'd like to upgrade to a dedicated server. Here's what I'm looking for and why:
Located near multiple major networks:
Our current host has been unavailable from certain parts of the Internet. Anonymous proxy shows the site isn't dead, just not responding to my location. The response time from ippatrol.co.uk is about 1.5 seconds. That's about average, right?
Litespeed:
I run WPMU (Wordpress Multi-User) with many add-on domains pointing to a single installation. Problem with WPMU is it makes extensive use of .htaccess. All user-uploaded files are actually parsed through a php script. That's why I'd prefer litespeed's .htaccess handling.
WHM/cPanel:
I don't want to be stuck with a host if they suddenly stop performing. I've heard horror stories about large cPanel transfers, so I'm planning to split this into 3-5 cPanel accounts. Also I want to download my own backups, and don't want to try a 1GB backup. I'm not planning on doing reselling.
2GB of space:
I've got MANY small blogs, but they're all low-traffic. The 2GB is for expansion purposes, and so I can do backups without overage. I should never hit this limit.
View 9 Replies
View Related
Nov 18, 2008
This security flaw came to light at the end of October and I didn't find it posted already so thought it worth mentioning having tested the helpdesks for some sites that we use and found them to be at risk.
D
etails and a demo exploit URL can be found at url]
For anyone who doesn't know, XSS flaws that allow execution of arbitrary javascript can be exploited easily and without user knowledge to obtain information such as login details or session IDs. This could happen in various ways, including visiting an unrelated page with a simple URL that redirects to the vulnerable URL and then back again. Tools such as NoScript for FireFox may help protect against this on the client side.
View 9 Replies
View Related
Jan 14, 2007
A user is able to use WebShell.cgi:
[url removed]
In order to run commands from the /scripts folder. This is especially dangerous as a user can give an account reseller priviledge with full root access.
Because webshell.cgi is running with the uid/gid of apache, it can access all files which can be access with apache. And guess what.... the /scripts folder is one of them.
Because it's a CGI script, it doesn't seem as though there is an easy way to block this.
View 14 Replies
View Related
May 13, 2008
I am building a website which require a data feed from a third party data provider. I have to fill out a 'questionair' when submitting my application and I'm not sure what to put for this questions.
Question: "Have you run a vulnerability assessment of network security? What is the current assessment rating?"
I Google'd for security rating but came up blank, without any useful result. Is there a level like 1-5 or something for network security rating? I m not sure what to put on here.
I'm not against getting a shared/virtual hosting account if the a host could provide me with these ratings.
View 2 Replies
View Related
Apr 10, 2013
We are currently running ColdFusion 9 on an Apache server. After running a Webinspect scan for one of our web applications, a weak cipher vulnerability was flagged as critical. Their recommended change to the httpd.conf file is listed below. We made the change and restarted our server but the same vulnerability came up again. How to eliminate the weak cipher vulnerability?
SSLCipherSuite ALL:!aNull:!ADH:!eNull:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUMĀ
View 3 Replies
View Related
Jun 27, 2013
I am using plesk 11.0.9 and I want disable ssl anonymous authentication. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm.
How I can disable anonymous authentication
Plesk apache + nginx running
View 2 Replies
View Related
May 15, 2008
I am trying to access a temporary url on cPanel but I get a 404 Not Found error....
View 3 Replies
View Related
Sep 16, 2007
Attacking multicore CPUs
[url]
[url]
"The Register reports that the world of current multi-core central processing units (CPUs) just entered is facing a serious threat. A security researcher at Cambridge disclosed a new class of vulnerabilities that takes advantage of concurrency to bypass security protections such as anti-virus software The attack is based on the assumption that the software that interacts with the kernel can be used without interference. The researcher, Robert Watson, showed that a careful written exploit can attack in the little timeframe when this happens, and literally change the "words" that they are exchanging. Even if some of these dark aspects of concurrency were already known, Watson proved that real attacks can be developed, and showed that developers have to fix their code. Fast..."
View 0 Replies
View Related
Oct 1, 2014
We have Plesk Panel 11.5 in Virtuozzo containers (Centos 6 x86_64) and we often provide to our customers the ssh access with chroot - /usr/local/ psa/ bin/chrootsh.All we know about Shellshock Vulnerability and we already installed all fixes to bash, but chrootsh-version is still vulnerable.Here are the results of BashCheck from [URL] ..... under chrooted user:
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
bashcheck: line 15: 19226 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer.Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug).Do you plan to release updates for chrootsh?
View 2 Replies
View Related
Apr 29, 2007
Code:
$ md5sum sim-current.tar.gz
6c1cece6f3af87598c4bdb09cabcb3cc sim-current.tar.gz
Line 25, file: sim-2.5-3/setup
Code:
TMPS="/tmp/sim_cj"
Line 399, file sim-2.5-3/install/sim
Code:
cat $TMPS >> /etc/crontab
If a local user creates a symlink to that file, then writes to the sim_cj file being linked to, as SIM is being installed, they can influence the contents of /etc/crontab.
Contacted the vendor via email on 04/17/07, email bounced.
Opened a ticket via their helpdesk ~5 days ago, no response.
Again, this is only an issue during the install, which is an extremely small window of time. Any bug that could lead to root access should be fixed, however.
View 0 Replies
View Related
Feb 9, 2008
i create one vps by xen/hypervm
and i going to ssh this vps
and i want install cpanel for this vps
but:
-bash-3.00# wget[url]
--21:44:11-- [url]
=> `latest'
Resolving layer1.cpanel.net... failed: Host not found.
View 10 Replies
View Related
Sep 2, 2007
i had 3 emails last night from my box regarding a [checkperlmodules] automatic upgrade.
The modules cannot install as the modules on my system are outdated. I tried installing the module under WHM, IO::Compress::Base, but it says it is the most recent (2.005) and wont upgrade!
Under WHM -> 'Update System Software' i get the same error as modules wont build as they are require 2.006 and i have 2.005.
Is there anywayy how can i force an upgrade regardles?
Warning: prerequisite IO::Compress::Base 2.006 not found. We have 2.005.
[checkperlmodules] The perl module IO::Uncompress::Gunzip could not be installed.
This module is required by cPanel, and the system may not function correctly until it is installed, and functional. Below is the results of the auto-install attempt:
Test Run
==============
IO::Compress::Base::Common version 2.006 required--this is only version 2.005 at /usr/lib/perl5/site_perl/5.8.8/IO/Uncompress/RawInflate.pm line 9.
BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/IO/Uncompress/RawInflate.pm line 9.
Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/IO/Uncompress/Gunzip.pm line 12.
BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/IO/Uncompress/Gunzip.pm line 12.
Compilation failed in require at - line 1.
BEGIN failed--compilation aborted at - line 1.
Installer Run
.... snip ....
CPAN.pm: Going to build P/PM/PMQS/IO-Compress-Zlib-2.006.tar.gz
Up/Downgrade not needed.
Checking if your kit is complete...
Looks good
Warning: prerequisite IO::Compress::Base 2.006 not found. We have 2.005.
Warning: prerequisite IO::Uncompress::Base 2.006 not found. We have 2.005.
Writing Makefile for IO::Compress::Zlib
CPAN: YAML loaded ok (v0.65)
... snip ...
View 6 Replies
View Related
