Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Compressed files vulnerability??

Discussion in 'General Discussion' started by drycola, Sep 24, 2009.

  1. drycola

    drycola Registered

    Sep 24, 2009
    Likes Received:
    Trophy Points:
    Hello people,

    I have a paid hosting with cPanel, I tried to extract a compressed tar.bz2 file using File Manager but I couldn't do so. I contacted the hosting company and they told me that they have disabled this feature due to 'Security Reasons'. They told me that there is a new security threat related to this function and they will not restore it until an Update/Patch from cPanel for this problem is released.
    So what exactly is this security threat? and will there be a patch for it? or a new release that will fix it? If so, when will that be released???

    Thanks in advance
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Apr 7, 2006
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Please PM me the name of your hosting company.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    Security is my field and I am currently unaware of any particular "new" threat of any significance regarding the applications that you mentioned in your post above but let's go over a few things I do know about these ...

    If you are referring to the old legacy File Manager, I don't recommend using it for a lot of reasons irregardless.

    Could your host might possibly be talking about the "File Manager XSS Vulnerability" discovered last March but that is pretty much old news and should not be a problem if you have the latest updates, correct Cpanel configuration settings, and proper security measures in place.

    - More info on this vulnerability is HERE -

    Could your host perhaps be confusing the BZIP2 security issue actually discovered a while back?

    Regarding BZIP2, there was indeed a known vulnerability up through 1.0.4 but was patched in 1.0.5. Since Cpanel has nothing to do with the distribution or updates of system core components such as BZIP2, it would be up to each server owner to upgrade base items like this to the current version!

    To tell what version a server is running:
    # bzip2 --version
    Server owners who are not running at least 1.0.5, should upgrade:
    # cd /usr/local/src
    # wget
    # tar zxvf ./bzip2-1.0.5.tar.gz
    # cd ./bzip2-1.0.5
    # make
    # make install PREFIX=/usr
    # bzip2 --version   
    #3 Spiral, Sep 25, 2009
    Last edited: Sep 25, 2009

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice