The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Count.cgi: risky?

Discussion in 'General Discussion' started by bear, Mar 10, 2007.

  1. bear

    bear Well-Known Member

    Joined:
    Sep 24, 2002
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've been using a server management company to help manage things, and as part of the hardening process, they have disabled the "Count.cgi" script in CP's back end. Clients complained, naturally, so I asked them and they said it's been hacked in the past so they disable it. I know how to enable it again, but before I do anything, I thought to ask about it first.

    Now I know that scripts can be hacked if poorly written, or if the attacker is clever enough, but can this claim be substantiated? Anyone know of an actual attack that can be attributed to this script in Cpanel?
     
  2. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Of course

    CPanel is full of holes. We just had to echo "" > chmod 000 and chattr the guestbook.cgi feature to a spam issue (cough fix it cough)

    But if they disabled it, keep it disabled, it's probably for the best :mad:
     
  3. rainboy

    rainboy Active Member

    Joined:
    Mar 2, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Eindhoven
    What has a guestbook.cgi to do with cpanel being full of holes?, it merely a standard script they deliver with it.

    I do believe if these scripts indeed are 'vulnerable' cpanel should do more to warn their users and educate them. They are anything from cheap, so would expect their security bulletins to be a bit more frequent. Up to today i don't see anything about the guestbook.cgi while several hosting companies did warn for it already. Whats the deal ?!

    Or did i miss an announcement on their security page which is not there? http://www.cpanel.net/security/ also missing the fantastico vulnerability. (i know this is an addon for cpanel, but since they also posted the wordpress one, i would expect this one to be covered too).

    If they disabled the count.cgi, maybe its time for you to search for an alternative which is more save to use?

    Kindest regards,
    Patrick
     
  4. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    CPanel's lack of poise and rationality.

    If you distribute it, at least make sure the bloody thing doesn't have any holes or ahem root ahem vunerabilities (check out some other binaries of yours for that cpanel)

    Regardless this is from a security expert that writes his own mod_sec script that's used on thousands of servers worldwide, cpanel is full of holes. The more glitter and glam you add the more rubbish and bloatware you have. Cpanel could be alot lighter, they could give the option to use qmail instead of exim as a MTA, which exim SUCKS, and uses TOO MUCH SERVER LOAD (try MailScanner or even scanners on exim and get alot of spam your server sprials down, compliments of exim)

    These are some issues not being done / no communication with customers, and a lack of options, and ones that should be standard in my opinion. And yes those two little exploits little spoken of. I wonder what revision those will be fixed in, or maybe we should file a BugZilla? :mad: :mad: :mad:



    Comments Welcome. Hate welcomed even more :p


    BTW: I've already exposed two exploits, one Fantastico, and one of course cpanel, that got into the wild. There are many, use mod security, use frequently. Kernel updates are your friend, not foe.
     
    #4 HostMerit, Mar 14, 2007
    Last edited: Mar 14, 2007
Loading...

Share This Page