Major Exploit

[.:RAIS:.]

An issue yes. A major issue no.

A security issue must be dealt with as a higher priority. This issue isn;t really that much of an issue as most users just set-up the DB and user perms then move on to a web based SQL injection process, therefore phpMyAdmin would only be a tool to debug an SQL site.

All in all, its an issue that does require some attention

[merlinpa1969]

our issue is that cpanel isnt recognizing the databases at all.
we cant create new ones
and we cant see exsisting ones

If you try to hit phpmyadmin you get a wrong username and pass error

[cpanelnick]

Updated Patcher:
http://layer1.cpanel.net/installer/sec092406.pl

Updated Checker:
http://layer1.cpanel.net/installer/c...cker_092406.pl

The auto patcher in the installer has been updated

Summary:
* The patch is now pure perl and doesn't rely on the 'patch' utility (this was causing older version of cPanel to not be patched).
* Solves Problems with mysql interaction on 64-bit systems.
* Solves Problems with creating databases with non latin charsets.
* More robust security checks (the last patch could still allow the exploit to work if it was modified if you were running RELEASE/STABLE [the CURRENT,EDGE,NIGHTLY have a patch in the wrapper that stops this problem dead instead of patching around it] )

The offical security advisory should be ready late tonight/tomorrow morning.

[.:RAIS:.]

our issue is that cpanel isnt recognizing the databases at all.
we cant create new ones
and we cant see exsisting ones

If you try to hit phpmyadmin you get a wrong username and pass error

Search the cPanel forums, I had that error before.

I **Think** I simply reset the root MySQL password, I can't remember for sure though.

[hbouma]

This mess just keeps getting worse.

I just updated a cPanel server that the script then said was secure:

# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...

safe

Done

Ran it again a few minutes later

# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...

not safe

Done

So how does a server that was 'secure' now becoming insecure? Running /scripts/upcp again didn't fix it either.

I have no clue what is going on anymore.

Hal

[philb]

Am I allowed to ask why we are patching rather than just replacing the file and incrementing the version number so that people have a dead cert way of easily identifying a vulnerable version?

[zigzam]

Your link for the checker is broken.

[rs-freddo]

You don't need to do --force just /scripts/upcp

The reason it didn't work the first time is that cpanel put out two patches. The first one only did half the job, which is why you had to run /scripts/upcp later in the day. If you were one of the people who patched early - you need to test your boxes, chances are you need to run /scripts/upcp again.

And cPanel have issued a third patch, so if you have patched previously you need to patch again...

[hbouma]

EDIT: Never mind me. Being stupid.

Hal

[bogdan2003]

From the patch checker tool I am getting:

Code:

Checking /usr/local/cpanel/bin/mysqladmin...safe..Done
Checking /usr/local/cpanel/bin/hooksadmin...not installed (ok) Done
Your system has been
patched!

Is this ok?

[cpanelnick]

Your link for the checker is broken.

Probably still propgating to all the update server .. try again in 30 sec.

[cpanelnick]

cpanelnick, what about mysql issue? any progress? Thanks in advance for your reply.
http://bugzilla.cpanel.net/show_bug.cgi?id=4611
Confirmed on our 20 servers and few people here.

Its being worked on right now (#2 priority though)

[cpanelnick]

From the patch checker tool I am getting:

Code:

Checking /usr/local/cpanel/bin/mysqladmin...safe..Done
Checking /usr/local/cpanel/bin/hooksadmin...not installed (ok) Done
Your system has been
patched!

Is this ok?

Yes, by all means.

[mchase]

I've had no problems getting the patch applied (after the 3 updates in an hour yesterday); however, I (like a lot of the other people here) am having issues with PHPMyAdmin. I understand that this is less of a priority than a priviledge escalation but it's still a huge huge problem.

[cpanelnick]

And cPanel have issued a third patch, so if you have patched previously you need to patch again...

If you are running the latest CURRENT/EDGE/NIGHTLY there is no need to patch unless you are having problems with mysql.


Hopefully the last. We will put out as many revisions as needed to make sure it works for everyone. (we targeted 48 hours to be 100% [read above].. looks like we are still on target for that)