In Progress [CPANEL-25968] mod_status data suppression improvement

stormthefront

Member
Apr 15, 2012
18
1
53
cPanel Access Level
Root Administrator
Hello,

it is quite interesting how nobody including the article's author(s) has posted anything in regards to hosting.review's "super-duper" discovery of arbitrary access to whm-server-status and server-status by sending curl/lynx GET requests to 127.0.0.1 from end client web pages. Is this something you guys are going to address?

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello,

The reported behavior is a longstanding issue with Apache's mod_status module. We've not seen anything to indicate Apache is planning to address the issue in the near future, so our developers are researching and exploring the best way to implement a patch for cPanel & WHM servers that doesn't adversely affect existing functionality. The internal case number is CPANEL-25968. I'll monitor this case and update this thread with more information as it becomes available.

Let us know if you have any questions.

Thank you.
 

nickgr67

Registered
Mar 8, 2019
4
0
1
Greece
cPanel Access Level
Root Administrator
A temporary fix until the official one comes out

In WHM
Home >> Service Configuration >>Apache Configuration >> Include Editor >> Post VirtualHost Include

Replace 192.168.1.1 10.10.10.10 with your own static IPs so only you can see server status
The line
Deny from 127.0.0.1 ::1
maybe is not necessary, but had no time to test

Put in editor

<IfModule status_module>
# This is used by the WHM 'Apache Status' application
<Location /whm-server-status>
SetHandler server-status
Order deny,allow
Deny from all
Deny from 127.0.0.1 ::1
Allow from 192.168.1.1 10.10.10.10
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
</Location>
</IfModule>

Now you can see server status from https://my.server.com/whm-server-status when connected from IPs 192.168.1.1 10.10.10.10 and the Cpanel link "Apache status" returns "Failed to receive status information from Apache."
 

stormthefront

Member
Apr 15, 2012
18
1
53
cPanel Access Level
Root Administrator
Hello,

Yeah, exactly - the "exploit" in the article is not some mind boggling novelty in the way the authors are trying to present it.
Either way, you have to take into consideration the fact that ea4 recompilation will result in getting back the old values. Our own temporary "patch" includes tweaking /var/cpanel/templates/apache2_4/ea4_main.default to have the changes persevere after easyapache recompilation.

Thanks.