The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel file manager security vulnerability

Discussion in 'Security' started by phiber, Feb 27, 2006.

  1. phiber

    phiber Member

    Joined:
    Mar 27, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
  2. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    /me puts his tinfoil hat on at a jaunty angle

    You know, considering the original forum post referred to in the article seems to be missing, it's hard to say. My gut feeling is this would be big enough to warrant a "please remove your post while we fix this" request from cpanel. If it was simply mistaken, I'd expect a retraction/clarification post rather than removal. fwiw, I've disabled File manager on all my cpanel machines until we find out more. ;)

    Edit: Interesting - I disabled file manager (whm -> packages -> feature manager -> disabled -> untick FM -> save), yet I can still access it through cPanel. WHM 10.8.0 - cPanel 10.8.1-S114
     
    #2 MattGetWeb, Feb 28, 2006
    Last edited: Feb 28, 2006
  3. phiber

    phiber Member

    Joined:
    Mar 27, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I can still access it too. Yes, I've restarted cpanel services.
     
  4. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
    I confirm, i can access it too regardles if it is on or off in a feature manager.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    This was discussed some days ago and is fixed in EDGE if you check the changelog.
     
  6. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
    Btw, is there any quickhack how to disable it completly until things settle down?
     
  7. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I assume this is only exploitable if one has access to a cpanel account?
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'm not aware of one - if you're worried then you'll have to go to EDGE.
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That assumption would be wrong. The cPanel user needs to setup the WysiwygPro editor by using it in the cPanel File Manager, but after that it's exploitable by anyone.
     
  10. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Well, I hope someone comes with a solution without having to upgrade to EDGE.

    How can we see which users have used file manager previously? (which would make those accounts exploitable by everyone, right?) My cpanel logs don't go back so far.

    As a temporary fix I chmodded the cpanel WysiwygPro directory to 000.
     
    #10 jamesbond, Feb 28, 2006
    Last edited: Feb 28, 2006
  11. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Sorry, I must have missed that discussion. Can I just confirm my understanding please - this affects all cPanel versions, but the fix is currently being TESTED in Edge? That is, what is in Edge eventually filters down to Release and Stable. Especially a fix for a remotely exploitable hole that we can't workaround, right? Call me paranoid, but I'm reluctant to move my production servers to a "bleeding edge" level code base.
     
  12. chmod

    chmod Well-Known Member

    Joined:
    Apr 20, 2004
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    London - UK
    re

    chmod 000 /usr/local/cpanel/3rdparty/WysiwygPro

    will disable it across the server.
    when its fixed just chmod it again with

    chmod 755 /usr/local/cpanel/3rdparty/WysiwygPro
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's your choice. But the cPanel release method means that if you want any recently developed feature immediately then you have to run whichever tree has it implemented. cPanel could certainly release all trees to the same level as EDGE is at now, but they would all then contain the same code. Since cPanel only maintain a single version number, regardless of the number of trees, then that is the choice you have.
     
  14. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    I really must be out of the loop on the way the cPanel devs, versions, and code releases work. I'm struggling to comprehend how a fix for a remotely exploitable hole could be deemed a feature, and requires an "upgrade" to what cPanel themselves describe as a bleeding edge release. What actually is my system doing during the cpup process if not applying updates and fixes? What fixes are going in that remotely exploitable holes aren't worthy of attention? :confused:

    Anyway, I appreciate that you are just the messenger, so I'll take this up directly with cPanel.

    As an aside, chirpy - now there's a Spanish forum, how about a security forum with date stamped topics so we can easily see what issues are current and those resolved or with workarounds available? I can't imagine what it's like for you, but I find it tiring chasing 6 threads around 4 forums on the same topic, only to see answers like "Oh, we discussed that a few days ago" without any reference to what/where/how/etc. Maybe we can keep security discussions in one place and reduce redundancy?

    --Matt ;^]
     
  15. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I think the deficiencies in the CPanel changelog are well documented. I don't have a problem with the current changelog, but I think it would also be helpful to have a changelog for the other versions as well (Current, Release, Stable). This way you know what issues are resolved in your current version. As it stands now, if a new Current is released, you don't really know if it contains the fix for this exploit or not, its just more or less a guess.

    Perhaps this should be logged in Bugzilla as an enhancement request. However, I do see where there are some similar requests in Bugzilla that appear to be somewhat dated.

    I know this post is somewhat off-topic and I apologize for that. If concerns about the ChangeLog warrant further discussion, I would recommend that someone post a new topic rather than take this thread further off course. I posted in this thread because I thought it was important to bring to the attention some of the confusion over the current ChangeLog and why some users are confused as to what security/bug fixes have been applied to their current CPanel version.
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It really shouldn't be that difficult to follow ;)

    There is only one version number of cPanel. The release trees are simply milestones along version development. You will always know if, e.g., this fix is in the tree you are running because the tree version will be equal to or greater than the version that it was fixed in :)
     
  17. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    That's lovely too. If I was to take bets on when 10.8.1-S114 will reach 10.8.2-E1, I'd back being an old man by then. From the amount of bugs in File Manager and WysiwygPro listed in the changelog, cPanel appear to have bumped things a version.

    And all that aside - we have a remotely exploitable hole - that isn't being fixed - hasn't been notified to customers - the bugzilla entry is locked so we can't investigate for ourselves - and we're ("we" as in those who happened to notice some reports before it is all quietly swept under the carpet) being told the solution is to upgrade to a version that lists one of it's recent fixes as "killacct deleting incorrect MySQL databases". Do I really need to explain what's wrong with this picture?
     
  18. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Just to let people know that sites are being hacked. Doesn't seem to give root access, but sites are erased.
     
  19. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi

    the way I understand the changelog is that the version number is unique !!!

    So if the current build is version 100. Then EDGE will be 101. so when current reaches say 105. It will include all the changes made into versions below 105. So it will include edge below it. and so on and so on.

    I agree the version number needs work.

    4 Separate displays for each branch, Stable, Release, current and edge would make it easier for us to understand it.

    :)
    cheers
    andy
     
  20. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0

    Is there a mod security rule that stop it?
     
Loading...

Share This Page