cpanel file manager security vulnerability

[phiber]

Take a look at this:
http://freepgs.com/ledbetter/wordpress/?p=261

Is it true?

[/bin/bash.org]

Is it true?

/me puts his tinfoil hat on at a jaunty angle

You know, considering the original forum post referred to in the article seems to be missing, it's hard to say. My gut feeling is this would be big enough to warrant a "please remove your post while we fix this" request from cpanel. If it was simply mistaken, I'd expect a retraction/clarification post rather than removal. fwiw, I've disabled File manager on all my cpanel machines until we find out more.

Edit: Interesting - I disabled file manager (whm -> packages -> feature manager -> disabled -> untick FM -> save), yet I can still access it through cPanel. WHM 10.8.0 - cPanel 10.8.1-S114

[phiber]

I can still access it too. Yes, I've restarted cpanel services.

[gemby]

I can still access it too. Yes, I've restarted cpanel services.

I confirm, i can access it too regardles if it is on or off in a feature manager.

[chirpy]

This was discussed some days ago and is fixed in EDGE if you check the changelog.

[gemby]

This was discussed some days ago and is fixed in EDGE if you check the changelog.

Btw, is there any quickhack how to disable it completly until things settle down?

[jamesbond]

I assume this is only exploitable if one has access to a cpanel account?

[chirpy]

Btw, is there any quickhack how to disable it completly until things settle down?

I'm not aware of one - if you're worried then you'll have to go to EDGE.

[chirpy]

I assume this is only exploitable if one has access to a cpanel account?

That assumption would be wrong. The cPanel user needs to setup the WysiwygPro editor by using it in the cPanel File Manager, but after that it's exploitable by anyone.

[jamesbond]

Well, I hope someone comes with a solution without having to upgrade to EDGE.

How can we see which users have used file manager previously? (which would make those accounts exploitable by everyone, right?) My cpanel logs don't go back so far.

As a temporary fix I chmodded the cpanel WysiwygPro directory to 000.

[/bin/bash.org]

This was discussed some days ago and is fixed in EDGE if you check the changelog.

Sorry, I must have missed that discussion. Can I just confirm my understanding please - this affects all cPanel versions, but the fix is currently being TESTED in Edge? That is, what is in Edge eventually filters down to Release and Stable. Especially a fix for a remotely exploitable hole that we can't workaround, right? Call me paranoid, but I'm reluctant to move my production servers to a "bleeding edge" level code base.

[chmod]

chmod 000 /usr/local/cpanel/3rdparty/WysiwygPro

will disable it across the server.
when its fixed just chmod it again with

chmod 755 /usr/local/cpanel/3rdparty/WysiwygPro

[chirpy]

Call me paranoid, but I'm reluctant to move my production servers to a "bleeding edge" level code base.

That's your choice. But the cPanel release method means that if you want any recently developed feature immediately then you have to run whichever tree has it implemented. cPanel could certainly release all trees to the same level as EDGE is at now, but they would all then contain the same code. Since cPanel only maintain a single version number, regardless of the number of trees, then that is the choice you have.

[/bin/bash.org]

That's your choice. But the cPanel release method means that if you want any recently developed feature immediately then you have to run whichever tree has it implemented. cPanel could certainly release all trees to the same level as EDGE is at now, but they would all then contain the same code. Since cPanel only maintain a single version number, regardless of the number of trees, then that is the choice you have.

I really must be out of the loop on the way the cPanel devs, versions, and code releases work. I'm struggling to comprehend how a fix for a remotely exploitable hole could be deemed a feature, and requires an "upgrade" to what cPanel themselves describe as a bleeding edge release. What actually is my system doing during the cpup process if not applying updates and fixes? What fixes are going in that remotely exploitable holes aren't worthy of attention?

Anyway, I appreciate that you are just the messenger, so I'll take this up directly with cPanel.

As an aside, chirpy - now there's a Spanish forum, how about a security forum with date stamped topics so we can easily see what issues are current and those resolved or with workarounds available? I can't imagine what it's like for you, but I find it tiring chasing 6 threads around 4 forums on the same topic, only to see answers like "Oh, we discussed that a few days ago" without any reference to what/where/how/etc. Maybe we can keep security discussions in one place and reduce redundancy?

--Matt ;^]

[sparek-3]

I think the deficiencies in the CPanel changelog are well documented. I don't have a problem with the current changelog, but I think it would also be helpful to have a changelog for the other versions as well (Current, Release, Stable). This way you know what issues are resolved in your current version. As it stands now, if a new Current is released, you don't really know if it contains the fix for this exploit or not, its just more or less a guess.

Perhaps this should be logged in Bugzilla as an enhancement request. However, I do see where there are some similar requests in Bugzilla that appear to be somewhat dated.

I know this post is somewhat off-topic and I apologize for that. If concerns about the ChangeLog warrant further discussion, I would recommend that someone post a new topic rather than take this thread further off course. I posted in this thread because I thought it was important to bring to the attention some of the confusion over the current ChangeLog and why some users are confused as to what security/bug fixes have been applied to their current CPanel version.