The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel/WHM security problem

Discussion in 'Security' started by H2Hosting.com, Jul 16, 2004.

  1. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Hi!

    As you know, Cpanel team created /scripts/securetmp/ script to help server owners to secure /usr/tmp, /var/tmp, /tmp. ( p.s. I do not use this script)

    Ok. One question - what is a reason to create such useless scripts? Why useless? Ha Ha.

    Look at your folders:

    /var/cpanel/neomail - 777 root:root
    /var/cpanel/Counters - 777 nobody:nobody

    Hacker can upload and run scripts in your "neomail" and "Counters"...
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Nice one m8. Those of us system admins with any sence would have the mind to make sure things such as /tmp, /dev/shm, etc are locked down, Nick was nice enough to provide a script to help with those that have no clue or don't have the luxury of having a server set up with those features.

    Something like this should really be discussed directly with the cpanel team, EMAIL THEM, then EMAIL THEM AGAIN. Or how about this one ( silly i know ) use bugzilla ? There are various options for you to choose from, and yet, you chose to post in a public forum. How thoughtless and unprofessional. I hope none of your clients visit this forum.
     
  3. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    300% that hackers know about 777 chmod for /var/cpanel/neomail and /var/cpanel/Counters! I saw one domain logs and they uploaded the script into this folder directly, without searching. They know this!
     
  4. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    oh! let's start counting... when this hole will be fixed. Today is 16/July. :cool:
     
  5. Brio

    Brio Member

    Joined:
    Jul 9, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    What's the Bugzilla ID for this?
     
  6. Joshfrom

    Joshfrom Well-Known Member

    Joined:
    Jun 3, 2003
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    White Haven, PA, US
    Haze is correct: this is the wrong approach and wrong tact to take to get a bug repaired.

    The proper method is to report the bug to http://bugzilla.cpanel.net/ or if it is a serious security hole to email security@cpanel.net.
     
  7. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    :rolleyes: Hm. Cpanel cost us ~$30-$40/month/server and I do not like the fact that hackers from Brasil know about this fact and Cpanel developers do not.
     
  8. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    There are things that may get passed those that spend a LOT of time programming these scripts. Nick isn't perfect, but he does a darn good job. So brazillians know about it, why didn't you first contact nick or go through bugzilla? What on gods green earth made you decide to post this to the public ? There is no excuse, the only fool here is you.
     
  9. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    You call it "good job"? Hm. I knew 4 SYSTEM folders with 777 permissions before, but thanks to Nick there are two more... Thank you for this! :cool:

    btw, I submited my report to bugzilla, but no reply. Weekend?
     
  10. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    what are you talking about??? :rolleyes:
     
  11. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Just step away from the computer, go outside, take a few deep breaths, COME BACK AND UNPLUG YOUR COMPUTER!!!
     
  12. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    This type of method of storing counter files security wise is really shitty. There should be some type of warning that this horribly exploitable directory exists, incliuding neomail, and of course /usr/local/apache/proxy, and stunnel!

    root@blazin [/var/cpanel/stunnel]# dir
    ./ .\ / .\ \ / .\ \ \ / ../ ."/ "/ menu\ \ \ \ \ \ \ \ \ \ \ /


    This is really great, at least have some type of Php configuration that disallows alot of commands which are used with php shells, somehing, if you dont have your kernel secured, which im sure 50% of people who use EV1, etc do not know how to, their data center doesn't, and cpanel leaves this open, with no notice to us?

    How do we find out? Our boxes get rooted, and we are forced to restore backups, refund customers, etc. Cpanel has to do something security wise, instead of administrators having to take it into their own hands.......
     
  13. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    HostDime, I agree with you! They (Cpanel team) MUST warn us about 777 folders, created by Cpanel.

    haze, you call my post "unprofessional". Don't you think it's unprofessional for Cpanel developers to create such HOLES? BTW, they never replied to my bugzilla report :cool:
     
  14. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Would you mind sharing the bugzilla #?
     
  15. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
  16. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Ha ha. Just replied.

    ------- Additional Comments From tomp@* 2004-07-19 20:39 -------
    This should be emailed to security-cpanel.net
    -------------------------------------------------------------------------------

    Emailed...
     
  17. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    ha ha ha. Reply from Cpanel team:
    -------------------------------------------
    This really isn't a security hole (they are 1777, not 777). You might
    want to look at /var/spool/mail as well. Just because you can write a
    file doesn't make it a security hole. By that argument you should
    delete /bin/bash and /usr/sbin/perl as well as you can use them to
    execute as well.
    -------------------------------------------

    :D

    It's strange to reveive such reply from Cpanel developer. ;[

    I moved all system folders in /usr and /var (/tmp, /usr/tmp, /var/tmp
    chmoded to 777 to noexec, nosuid partition (even /var/spool/mail).

    It is easier to hack the server if they know 777 (or 1777) SYSTEM folders
    where they can upload and run &#^@( scripts...

    BTW, that is a reason to secure /tmp then??? :cool:

    p.s. thaphantom, /dev/null, please.
     
  18. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    You must want cPanel to hold your hand? Wow, amazing.

    And you call yourself a security manager?

    Puh-lease. I work for a fortune 100 company as a security systems engineer. Give me a break. You just want someone to do your job.
     
  19. webpros

    webpros Registered

    Joined:
    Apr 29, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Does the fortune 100 company you work for use Cpanel?
     
  20. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    1. you never make bug reports known to the public
    2. no cpanel has no responsibility to secure OUR servers etc etc etc
    3. yes they have a responsibility to tell us about 777 folders (or not create them)
    4. as a security administrator you should know alot about security already, if you dont then dont complain that other people should do the job for you.

    Im still new as a system admin, im learning every day. I however do know to upgrade my kernel, and yes cpanel does warn you when your kernel is out of date. I personally dont know how to secure a kernel... Ive never been taught how to do this. I do rely on other software to keep my box secure. But... it is not cpanel's responsibility to do this for you.

    And on the issue of 777 folders... If you use other software such as a firewall, portsentry, php_openbasedir tweak. Why do you need to worry about 777 folders :P

    A hacker has to have some way to upload to those folders first of all. If he/she cant get access to the system in the first place? How can they get access to anything else?

    However, it would be nice if they did :D :D :D :D *hint* *hint*

    Sheldon
     
    #20 Sheldon, Jul 22, 2004
    Last edited: Jul 22, 2004
Loading...

Share This Page