CPanel Refuses To Fix Cross-site Request Forgery
Aug 3, 2009
apperently cPanel does not wish to fix a cross-site request forgery because it would be a so called feature. Maybe due the weekend someone had a drink to many
Anyways ; from The register:
Quote:
The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications.
The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.
"If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."
Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."
View 10 Replies
ADVERTISEMENT
Sep 1, 2008
I've been running a GoDaddy Windows server with YetAnotherForum software for my forums. It's dog slow... it takes at least 30 seconds to load a page, even longer if you are making a post.
So, I've set up one of my macs to run UPB software and I have it run 24/7. The forum works, the flatfile database runs great, and it works on my network of computers. But here's the problem. Nobody else can see it.
Sometimes the link just hangs, but mostly it just gives an error saying "The connection to the server has been reset". Is it because the server is connecting wirelessly?
View 6 Replies
View Related
Jan 11, 2007
We signed up with Cyberheart IT Online because they claim to be a BusinessTrust and Trustsg Company for web hosting (from January 2006 until January 2007) and 3 domain registration and a sql database.
During the year we had 3 main problems as follows;
1. unable to log in via web mail and each time we asked Cyberheart on this the reply is not to use web mail as it is unstable despite us telling them that we travel often and need the service which is included in the hosting plan.
2. When we logged into our web control panel to perform administration, we received messages saying that another user was logged into the system. We asked Cyberheart about this but received no reply or no solution.
3. We initiated a transfer to another Hosting company on the 20th of December 2006. Cyberheart replied to my email with explanation of what issues they had and I should move to their new server. We refused and asked Cyberheart to affect the transfer.
Cyberheart asked for DNS numbers after we sent repeated emails to ask them the status but delayed the transfer and withheld the correct EPP key until one of my critical domain expired on the 07/01/2007.
My new hosting company in the US advises me to renew my domain with Cyberheart so that we can continue with the transfer as they cannot do anything until Cyberheart provides the correct Authentication or EPP key. We suffered with our websites down and emails not working.
We asked registrar WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC to intervene and only after did Cyberheart reply on the 10/01/2007 that we had outstanding invoice and Cyberheart will not provide the EPP key until we paid. We asked for the invoice to affect the payment and Cyberheart did not reply until the second reminder email today (11/01/2007). In the email (with no invoice) Cyberheart asked for $129.00 per domain name renewed which totals $258.00. The initial quoted amount was $18.00 per domain registration.
We have sent another email today to ask for a official corrected bill, still no reply.
We want the Authentication key to affect the hosting transfer. We do not want any other dealings with this unethical company but do not want to be bullied into paying what Cyberheart arbitrarily charge.
View 5 Replies
View Related
Jan 29, 2007
Right after booting from HP-UX PA-RISC, Tomcat refuses connections.
Trouble Description:
No startup error messages are logged and processes are up and running.
Checking /etc/rc.log:
----------------------------
Starting Tomcat server
Output from "/sbin/rc3.d/S998Tomcat start":
----------------------------
Using CATALINA_BASE: /opt/mediation/Tomcat5.5
Using CATALINA_HOME: /opt/mediation/Tomcat5.5
Using CATALINA_TMPDIR: /opt/mediation/Tomcat5.5/temp
Using JRE_HOME: /opt/mediation/java/jre15_15002
/opt/mediation/Tomcat5.5/bin/catalina.sh[233]: touch: not found.
----------------------------
If Tomcat is manually stopped and restarted, it accepts connections.
View 4 Replies
View Related
Sep 11, 2007
I'm having problems trying to change the date, no matter what I enter in webmin or shell it keeps the existing date and I've tried ntp.
Fed Core 6
View 5 Replies
View Related
Jan 3, 2009
I signed up with La(m)nehost not a short while back, I now wanted to make use of the guarantee since i'm not happy with there service.
I issued a ticket the 27th december 2008, requesting my money back since I wasn't happy with there services and they offer a 60back not-happy-money-back guarantee.
Till this very day it seems as Lanehost is REFUSING to respond to the ticket! I asked about the issue on the chat and just got a lame answer "you should log a ticket"...
What can I do against this? I paid around 150dollar for a year (stupid enough).
I was about to start my own hosting company, and this just sets me back alot.
View 13 Replies
View Related
Jul 11, 2008
The Solar VPS CEO has a guilty conscience or something that I will screw him up...he knows that I won't do a thing to his company....anyways...cause I want to apologize to him...in public....and I want him to read this...I called him a fool...on live chat...for not agreeing to a idiotic final decision...decisions are based on a company...and should be changed....I just want a VPS for my portal...thats it....
View 14 Replies
View Related
Jul 28, 2007
I signed up with service from infinitie.net after seeing an offer they had on this link [url]
This was on July 21st about 8PM EST. Link above states "PLEASE ALLOW UP TO 2 HOURS FOR YOUR NEW VPS ACCOUNT ACTIVATE ONCE ORDERED."
First reply took 8hrs, second 9hrs, third 5hrs, and to this date I haven't heard back from them since Jul 23, 2007 2:32 PM EST.
Incomplete login details were issued on Jul 23, 2007 2:32 PM EST. However, message stated "CPanel is finalizing its install and will be complete in 2 hours." I immediately asked them to please advise when setup is complete on Jul 23, 2007 2:56 PM EST. After not hearing anything back I decided to cancel and emailed request at Jul 24, 2007 2:54 PM EST.
I have a couple services I'm happy with elsewhere. I more or less just wanted to separate an account and see what other options were out there. I wasn't bothered by the fact setup was slow. The main issue was if they take this long to reply and handle simple issues prior to setup, what happens if I'm setup one day and there is a more serious issue? Since initial cancel request I attempted to contact them on several other occasions by both direct email and their ticket system. I never received a response other then the standard automatic "Thank you for writing to Infinitie's Support Team."
I have disputed transaction with paypal today. At a last attempt I emailed infinitie.net yesterday and told them unless refund was issued this is action I would be forced to take. No response so I proceeded. I will update and let you all know how this turns out.
View 14 Replies
View Related
Jun 27, 2008
I have a facility that offers racks and bandwidth (expensive), however the same facility is a POP for Cogent as well, who after I contacted informed me that I can buy bandwidth from them directly and just have the racks with said facility.
Now, besides my servers, do I need to own anything in order for me to mix my 100MB uplink from my Rack provider and Cogent?
I am assuming that with Cogentco I will be able to get IPs more easily and thru them, so if I renew my contract I don't have to migrate class C no matter what datacenter I host (as long as I have cogent in the mix, correct?)
BTW; is it usual to get charged anything for BGP or cross-connect, what do you pay?
View 6 Replies
View Related
Apr 3, 2008
I'm getting a cabinet colocation with a provider and on the sales order there is a setup and re-occurring fee for "cross connect". My rep explained it's for the connection from my cabinet to their switch. Is this a typical charge for colocation? I thought cross connect is for connecting from their facility to 3rd party providers.
View 13 Replies
View Related
May 10, 2009
On IIS6 many of thesite are under cross scripting attack I tried by remove the the code but it affects again after some time I reset the ftp password and passowrd is a combination of complex alpna numeric character.I have cheked the permission it is ok.
How you guys fight with cross dcripting attack.
View 9 Replies
View Related
Jan 1, 2007
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
That's the wordpress .htaccess
What makes me wonder is if we delete RewriteCond %{REQUEST_FILENAME} !-f, it won't work.
As if there is a recursion. However, there can't be a recursion given the [L] thing right?
View 0 Replies
View Related
Mar 14, 2007
I have two RedHat EL 4 boxes linked via a cross-connect. One is a web server (10.0.0.3) and one is a mySQL server (10.0.0.2), the interface between them is eth1 on both machines and a second interface eth0 connects to the internet.
I want to use the web server to send queries to the database server via eth1, 10.0.0.2:3306 in this case. If I send a database query via eth1 there is a delay of about 10-20 seconds before the result comes back. If I send the same query to the database server but use it's main IP instead of the internal IP so that the query is being sent to it over the internet (xx.xx.xx.xx:3306), the result comes back instantly.
Similarly, if I send a query from any remote server the result is instant.
Why should there be such a huge delay when sending a query directly through the cross-connect?
The routing table ( ip route show ) for the web server is:
xx.xx.xx.xx/xx dev eth0 proto kernel scope link src xx.xxx.xx.xx
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.3
default via xx.xx.xx.xx dev eth0
and the routing table on the database server is:
xx.xx.xx.xx/xx dev eth0 proto kernel scope link src xx.xx.xx.xx
10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.2
default via xx.xx.xx.xx dev eth0
I have ifcfg-eth1 on both boxes:
DEVICE=eth1
ONBOOT=yes
TYPE=Ethernet
IPADDR=10.0.0.3 / 10.0.0.2
NETMASK=255.255.255.0
Both boxes can ping each other and transfer files using wget without any apparant problems or delays.
Anyone have any ideas on how to fix this 10-20 second delay when sending queries through the cross-connect?
View 3 Replies
View Related
Aug 23, 2014
I would like to make a cgi cross platforms. Some servers are running Ubuntu server, 32 bit others are running Centos 64 bit and so one. How do i make a cgi script that run well at least for Linux based operating systems such as Debian, Ubuntu, RedHat and so one ?
View 1 Replies
View Related
Feb 11, 2008
I have two VPS's, VPS1 has one vbulletin community. VPS2 has about 10 cpanel accounts, mostly email, a blog site, etc. Both VPS's well under 10 gig in size not including any backups stored on the VPS.
For the more important VPS, VPS1, I am packaging the cpanel account (50mb) and SCPing it to VPS2.
I am also running pckgacct on the cpanel accounts on VPS2 (about 2 gig total, 1 tar.gz is 1.5gb, three others around 250mb, others smaller) and storing them on VPS2.
I then have WS_FTP scheduled to download the cpanel tar.gz files each night to a local machine.
I also have WHM setup to do daily incremental backups, but am not moving any of these offsite.
So, it seems I have three options:
Keep doing what I am doing.
Keep moving VPS1 tar.gz files to VPS2, but also start moving VPS2 tar.gz files to VPS1.
Start moving tar.gz files (or raw files with rsync) to offsite storage.
I'm curious on some feedback about the three options. These are personal sites, I am not reselling any sites/packages.
It seems like from a data security standpoint (email and stuff), the more 'locations' introduced into the loop, the less security there will be. Does anyone get concerned about moving their email and other data to offsite storage services?
As I said, I have a technical solution currently working, but I am wondering about the theory/data protection aspects of the various options for going forward.
View 1 Replies
View Related
Apr 7, 2008
How much do cross connect fees cost in the Equnix/Dallas Infomart and a Level3 owned datacenter? Is it priced according to what size circuit?
View 1 Replies
View Related
Jun 8, 2007
i am about to sign up for equinix's colocation service in LA. I am just curious if anyone else is paying similarly outrageous cross connect fees.. they are charging $300 for ethernet, and $200 for DS3.
View 14 Replies
View Related
Mar 30, 2014
I'm trying to set up a login script on twenty subdomains that will be checked on another subdomain. I've found this example for different domains and figure it should be simple enough to utilise but my ereg is crappy
<IfModule mod_headers.c>SetEnvIf Origin "http(s)?://(www.)?(domain1.com|domain2.com)$" AccessControlAllowOrigin=$0$1Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin</IfModule>
View 4 Replies
View Related
Jun 12, 2007
if anyone have experience with remote MySQL server setup
I have 2 servers in the same datacenter, 1 serve as web server, and 1 serve as mysql server.
would my remote MySQL server slows down my site load if it's not connected through cross cable? it's on the same datacenter though
View 4 Replies
View Related
Nov 26, 2014
We have following rule in httpd-vhosts.conf and it was working all ok.
All of sudden we have found on one day that it stopped working and we did some configuration tweak with this rule but none of them worked.
During troubleshooting, last change was disabling mod_security and after that it started working again. However, next day we had again enabled mod_security to get issue replicated but found it working all ok.
Any clue for such behaviour of Apache ? Why all of sudden following working rule may get stopped working and then starts working again ?
<IfModule mod_headers.c>
SetEnvIf Origin "https://(www.)?(v1.abc.com|v1ak.abc.com|v2.asite.com)$" AccessControlAllowOrigin=$0$1
Header Set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header Set Access-Control-Allow-Credentials "true"
Header Set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header Set Access-Control-Allow-Headers "origin, content-type, accept, X-Requested-With"
Header always unset Expires
</IfModule>
OS and Apache Version details are below:
Apache Version :2.2.27(win32), OS: Windows 2008 R2, ModSecurity Rule Set ver.1.5
View 1 Replies
View Related
Mar 25, 2008
OP: Linux Centos
I just got an additional 500GB hard drive added and mounted it to /home2
There are files that are in /home1 (orginal HD) that will need to be constantly moved over to /home2 via a ftp
But i keep getting this error
550 Rename/move failure: Invalid cross-device link
Does anyone have any ideas? I tried changing permissions but no luck also tried mounting the 2nd hard drive within a directory in /home1. Still gives the error.
View 5 Replies
View Related
