Major Exploit

[.:RAIS:.]

How about a friggin sticky across all forums with the latest and greatest patch/security check?
This thread is outta control.

I Agree.

[zigzam]

Ok everything working great now:

perl cpanel_exploit_checker_092406.pl
cPanel Exploit Checker 3.0
Checking /usr/local/cpanel/bin/mysqladmin...safe..Done
Checking /usr/local/cpanel/bin/hooksadmin...not installed (ok) Done
Your system has been
patched!

[cpanelnick]

Is this correct after running sec092406.pl ?


mysqladmin:

Code:

BEGIN {
        @INC=grep(!/(^\.|\.\.|\/\.+)/,@INC);
        unshift( @INC, "/usr/local/cpanel" );
        @INC=grep(/^(\/usr\/lib\d*\/perl|\/usr\/local\/lib\d*\/perl|\/usr\/local\/cpanel)/,@INC);
   unshift(@INC,"/usr/local/cpanel");
   @INC=grep(!/^\./,@INC);
}

Double unshift's but that won't hurt anything ... Looks Good

[randomuser]

Is this correct after running sec092406.pl ?


mysqladmin:

Code:

BEGIN {
        @INC=grep(!/(^\.|\.\.|\/\.+)/,@INC);
        unshift( @INC, "/usr/local/cpanel" );
        @INC=grep(/^(\/usr\/lib\d*\/perl|\/usr\/local\/lib\d*\/perl|\/usr\/local\/cpanel)/,@INC);
   unshift(@INC,"/usr/local/cpanel");
   @INC=grep(!/^\./,@INC);
}

edit: just built a new VDS, which has this:

Code:

BEGIN {
        @INC=grep(!/(^\.|\.\.|\/\.+)/,@INC);
        unshift( @INC, "/usr/local/cpanel" );
        @INC=grep(/^(\/usr\/lib\d*\/perl|\/usr\/local\/lib\d*\/perl|\/usr\/local\/cpanel)/,@INC);
}

both the VDS and the first server are: 10.8.2-STABLE_120


more edit: I guess I'll just have to manually remove the last 2 (original) lines from the 5 liner. arg cPanel........

[WireNine]

Is there an issue with mysql on the latest Cpanel current/edge builds?

[cpanelnick]

Is this correct after running sec092406.pl ?


mysqladmin:

Code:

BEGIN {
        @INC=grep(!/(^\.|\.\.|\/\.+)/,@INC);
        unshift( @INC, "/usr/local/cpanel" );
        @INC=grep(/^(\/usr\/lib\d*\/perl|\/usr\/local\/lib\d*\/perl|\/usr\/local\/cpanel)/,@INC);
   unshift(@INC,"/usr/local/cpanel");
   @INC=grep(!/^\./,@INC);
}

edit: just built a new VDS, which has this:

Code:

BEGIN {
        @INC=grep(!/(^\.|\.\.|\/\.+)/,@INC);
        unshift( @INC, "/usr/local/cpanel" );
        @INC=grep(/^(\/usr\/lib\d*\/perl|\/usr\/local\/lib\d*\/perl|\/usr\/local\/cpanel)/,@INC);
}

both the VDS and the first server are: 10.8.2-STABLE_120


more edit: I guess I'll just have to manually remove the last 2 (original) lines from the 5 liner. arg cPanel........

Both are fine Removing the last 2 from the original might make it .001% faster though.

[cpanelnick]

Is there an issue with mysql on the latest Cpanel current/edge builds?

Some peoplpe have reported a problem with seeing new dbs in phpmyadmin. Its currently being investigated.

[merlinpa1969]

well you can see the databaases now in cpanel but when you go to php my admin we are now getting these errors

Warning: session_write_close(): open(/tmp/sess_4fd40f552ff324f4dcb2163ff90cb39e, O_RDWR) failed: Permission denied (13) in /usr/local/cpanel/base/3rdparty/phpMyAdmin/index.php on line 44

Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in /usr/local/cpanel/base/3rdparty/phpMyAdmin/index.php on line 44

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/cpanel/base/3rdparty/phpMyAdmin/index.php:44) in /usr/local/cpanel/base/3rdparty/phpMyAdmin/index.php on line 101

[sfxx]

Hello,
I've done /scripts/upcp and ran sec092406.pl.

Now when I run the first checker "cpanel_exp_check_09_24_06[1].pl.txt" it shows
-------------
not safe
-------------

but if I run the latest checker "cpanel_exploit_checker_092406.pl", it shows this.
-------------
cPanel Exploit Checker 3.0
Checking /usr/local/cpanel/bin/mysqladmin...safe..Done
Checking /usr/local/cpanel/bin/hooksadmin...not installed (ok) Done
Your system has been
patched!
-------------

Does this mean the server is safe now?

Thanks.

[0utlier]

Hello,
I've done /scripts/upcp and ran sec092406.pl.

Now when I run the first checker "cpanel_exp_check_09_24_06[1].pl.txt" it shows
-------------
not safe
-------------

but if I run the latest checker "cpanel_exploit_checker_092406.pl", it shows this.
-------------
cPanel Exploit Checker 3.0
Checking /usr/local/cpanel/bin/mysqladmin...safe..Done
Checking /usr/local/cpanel/bin/hooksadmin...not installed (ok) Done
Your system has been
patched!
-------------

Does this mean the server is safe now?

Thanks.

I was just going to post that. Very confusing as to what is going on.

I was "safe" last night after /upcp, now running this new script it has made me "not safe".

If I run...

wget -q -O - http://layer1.cpanel.net/installer/sec092406.pl | perl

am I completely patched up or not regardless of what the old checker script says?

[dwykofka]

Getting the same thing here....

CentOS 3

[hbouma]

I was just going to post that. Very confusing as to what is going on.

am I completely patched up or not regardless of what the old checker script says?

This has been an evolving process. Only run the latest scripts/checks as the patch has been changing so the old checks won't properly work.

[ EDIT: The rest removed due to me being even more stupid. ]

Hal

[LS_Drew]

Is an upcp --force gonna fix this crap or do we have to update all servers to edge/current? Can we have an official word on this...my freakin head hurts. Enough already...let's get this fixed.

[0utlier]

I just re-read this entire thread and I think I know what's going on. If you want to use the patch method then use the most current version of the patch located at http://forums.cpanel.net/showthread.php?t=58134 which is a sticky at the top of every forum. The most current version appears to be version 3.

--------------------------------------------------------------------------------------------------

The version 3 of the patch script supercedes all other patch scripts and you NEED to use the newest version (version 3) of the patch script (located at http://forums.cpanel.net/showthread.php?t=58134) to be safe, regardless of whatever other script you've used with the patch method.

--------------------------------------------------------------------------------------------------

Is the above statment correct?

[philb]

The problem I've noticed on all my servers tonight after running /scripts/upcp, I still have to run cpanel_exploit_checker_092406.pl because the 2nd patch is not done. For example, after running /scripts/cpup I get:

# perl cpanel_exploit_checker_092406.pl
cPanel Exploit Checker 3.0
Checking /usr/local/cpanel/bin/mysqladmin...safe..Done
Checking /usr/local/cpanel/bin/hooksadmin...not installed (ok) Done
Your system has been patched!

What makes you say that upcp has not updated this server?

Assuming the tests/patches for this particular hole are now working correctly, mysqladmin is passing the test, and the file hooksadmin does not exist ("not installed") which it doesn't on either some of the cpanel trees or certain distros - I don't have it on my stable or release boxes so I couldn't tell you what it does - but because it's not there, it's 'ok'.

"Your system has been patched" appears whenever the script completes successfully and all the files are deemed to be safe. It doesn't necessarily mean it's actually done anything to achieve this.