Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

In Progress [CPANEL-25968] mod_status data suppression improvement

Discussion in 'Security' started by stormthefront, Mar 7, 2019.

  1. stormthefront

    stormthefront Member

    Joined:
    Apr 15, 2012
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    Hello,

    it is quite interesting how nobody including the article's author(s) has posted anything in regards to hosting.review's "super-duper" discovery of arbitrary access to whm-server-status and server-status by sending curl/lynx GET requests to 127.0.0.1 from end client web pages. Is this something you guys are going to address?

    Thanks.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The reported behavior is a longstanding issue with Apache's mod_status module. We've not seen anything to indicate Apache is planning to address the issue in the near future, so our developers are researching and exploring the best way to implement a patch for cPanel & WHM servers that doesn't adversely affect existing functionality. The internal case number is CPANEL-25968. I'll monitor this case and update this thread with more information as it becomes available.

    Let us know if you have any questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nickgr67

    nickgr67 Registered

    Joined:
    Mar 8, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    A temporary fix until the official one comes out

    In WHM
    Home >> Service Configuration >>Apache Configuration >> Include Editor >> Post VirtualHost Include

    Replace 192.168.1.1 10.10.10.10 with your own static IPs so only you can see server status
    The line
    Deny from 127.0.0.1 ::1
    maybe is not necessary, but had no time to test

    Put in editor

    <IfModule status_module>
    # This is used by the WHM 'Apache Status' application
    <Location /whm-server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Deny from 127.0.0.1 ::1
    Allow from 192.168.1.1 10.10.10.10
    <IfModule security2_module>
    SecRuleEngine Off
    </IfModule>
    </Location>
    </IfModule>

    Now you can see server status from https://my.server.com/whm-server-status when connected from IPs 192.168.1.1 10.10.10.10 and the Cpanel link "Apache status" returns "Failed to receive status information from Apache."
     
  4. stormthefront

    stormthefront Member

    Joined:
    Apr 15, 2012
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    Hello,

    Yeah, exactly - the "exploit" in the article is not some mind boggling novelty in the way the authors are trying to present it.
    Either way, you have to take into consideration the fact that ea4 recompilation will result in getting back the old values. Our own temporary "patch" includes tweaking /var/cpanel/templates/apache2_4/ea4_main.default to have the changes persevere after easyapache recompilation.

    Thanks.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice