The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Compressed files vulnerability??

Discussion in 'General Discussion' started by drycola, Sep 24, 2009.

  1. drycola

    drycola Registered

    Joined:
    Sep 24, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hello people,

    I have a paid hosting with cPanel, I tried to extract a compressed tar.bz2 file using File Manager but I couldn't do so. I contacted the hosting company and they told me that they have disabled this feature due to 'Security Reasons'. They told me that there is a new security threat related to this function and they will not restore it until an Update/Patch from cPanel for this problem is released.
    So what exactly is this security threat? and will there be a patch for it? or a new release that will fix it? If so, when will that be released???

    Thanks in advance
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Please PM me the name of your hosting company.
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Security is my field and I am currently unaware of any particular "new" threat of any significance regarding the applications that you mentioned in your post above but let's go over a few things I do know about these ...

    If you are referring to the old legacy File Manager, I don't recommend using it for a lot of reasons irregardless.

    Could your host might possibly be talking about the "File Manager XSS Vulnerability" discovered last March but that is pretty much old news and should not be a problem if you have the latest updates, correct Cpanel configuration settings, and proper security measures in place.

    - More info on this vulnerability is HERE -

    Could your host perhaps be confusing the BZIP2 security issue actually discovered a while back?

    Regarding BZIP2, there was indeed a known vulnerability up through 1.0.4 but was patched in 1.0.5. Since Cpanel has nothing to do with the distribution or updates of system core components such as BZIP2, it would be up to each server owner to upgrade base items like this to the current version!

    To tell what version a server is running:
    Code:
    # bzip2 --version
    Server owners who are not running at least 1.0.5, should upgrade:
    Code:
    # cd /usr/local/src
    # wget http://www.bzip.org/1.0.5/bzip2-1.0.5.tar.gz
    # tar zxvf ./bzip2-1.0.5.tar.gz
    # cd ./bzip2-1.0.5
    # make
    # make install PREFIX=/usr
    # bzip2 --version   
    
     
    #3 Spiral, Sep 25, 2009
    Last edited: Sep 25, 2009
Loading...

Share This Page