cpanel file manager security vulnerability

[chirpy]

It really shouldn't be that difficult to follow

There is only one version number of cPanel. The release trees are simply milestones along version development. You will always know if, e.g., this fix is in the tree you are running because the tree version will be equal to or greater than the version that it was fixed in

[/bin/bash.org]

That's lovely too. If I was to take bets on when 10.8.1-S114 will reach 10.8.2-E1, I'd back being an old man by then. From the amount of bugs in File Manager and WysiwygPro listed in the changelog, cPanel appear to have bumped things a version.

And all that aside - we have a remotely exploitable hole - that isn't being fixed - hasn't been notified to customers - the bugzilla entry is locked so we can't investigate for ourselves - and we're ("we" as in those who happened to notice some reports before it is all quietly swept under the carpet) being told the solution is to upgrade to a version that lists one of it's recent fixes as "killacct deleting incorrect MySQL databases". Do I really need to explain what's wrong with this picture?

[rs-freddo]

Just to let people know that sites are being hacked. Doesn't seem to give root access, but sites are erased.

[forlinuxsupport]

Hi

the way I understand the changelog is that the version number is unique !!!

So if the current build is version 100. Then EDGE will be 101. so when current reaches say 105. It will include all the changes made into versions below 105. So it will include edge below it. and so on and so on.

I agree the version number needs work.

4 Separate displays for each branch, Stable, Release, current and edge would make it easier for us to understand it.


cheers
andy

[jackie46]

Quote:

Originally Posted by rs-freddo

Just to let people know that sites are being hacked. Doesn't seem to give root access, but sites are erased.

Is there a mod security rule that stop it?

[rs-freddo]

I just did the chmod outlined on page 1 and then went thru and deleted the WysiwygPro directory in all sites that had it. Luckily only one site was defaced and that was only being used for email, so the webpages were of no consequence.

[Nic]

Quote:

Originally Posted by rs-freddo

I just did the chmod outlined on page 1 and then went thru and deleted the WysiwygPro directory in all sites that had it. Luckily only one site was defaced and that was only being used for email, so the webpages were of no consequence.

How did you find websites with WysiwygPro?
Update: OK, I believe via

Code:

find / -name WysiwygPro

[rs-freddo]

find /home/ -name WysiwygPro -type d -exec ls -al {} \;

It's a bit messy but I was in a hurry.

Yes, your code would be neater.

then again something like:
find /home/ -name WysiwygPro -type d -exec rm -rf {} \;
might do the whole thing in one go. I'm not entirely comfortable running rm -rf without the option of OK'ing each delete...
This isn't much use really as I did need to check that each client was not defaced.

[Nic]

Thank you, Michael.

Oh well...I have hundreds of websites with WysiwygPro.
Upgrading to bleeding EDGE is not our choice...

[trparky]

I have always wondered why CPanel doesn't develop using multiple code trunks, much like Mozilla does.

For instance, Mozilla.org had to release a new version of FireFox to fix a Javascript vulnerability. They released 1.5.0.3 to fix it. Originally 1.5.0.3 was to be a bigger release, but they had to release 1.5.0.3 faster, so they pushed all changes made to the trunk up to the 1.5.0.4 tree and then released 1.5.0.3 minus the changes they did that they are including in 1.5.0.4.

Makes more sense to me to have multiple development trunks. That way, if things go bad, like in this case, they can back port changes to previous versions.

And for that matter, every time something big happens, like a bug fix, CPanel has to go all the way back to the EDGE state to test it. Yeah, I know, testing and all, but some bug fixes are so small, so insignificant that they can easily just say, "Ok, the bug fix is so simple that there is no need for such a huge step back to EDGE."

The killing of wrong databases, that bug fix was so simple that it didn't need to be declared an EDGE build. Even people with limited coding knowledge but do know something about MySQL can see that. Simple fix!

[khoonchee]

the built does not shows up in the changelog any more, does it means it has been sent to the Release tree cause our Cpanel box are running release tree built.

[SoftDux]

Is this problem being addressed? What does cPanel have to say about it? I surely don't want to have my client's sites compromised, and I don't want to get a new control panel and teach my clients "new tricks" just because of this

[chirpy]

It was fixed in all versions once STABLE went to 10.8.2

[tweakservers]

I have a reply from Nick that the RELEASE version also include the fixes for all Linux builds except for FREEBSD.