The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EasyApache 4 Concerns

Discussion in 'EasyApache' started by Josh Abbott, Oct 4, 2015.

  1. Josh Abbott

    Josh Abbott Member

    Joined:
    Oct 4, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    US
    cPanel Access Level:
    Root Administrator
    I've been testing EasyApache 4 and while I like the overall direction of the new software, there are a few issues and changes that I'm concerned about.

    The most significant one is that the INI editor sets short_open_tag to "Off" by default, while the default setting in EA3 and PHP is "On". This creates a significant security vulnerability for the many PHP scripts that still use short tags, because the PHP source code will be output to the browser. This will expose any database passwords and other configuration settings that may be stored in a PHP file with short tags.

    Another concern regarding the INI editor is that error_reporting no longer excludes deprecated notices by default. This will lead to significantly large error_log files, especially in PHP 5.5 and 5.6 where the commonly used MySQL extension now raises a deprecated notice every time a query is made to the database.

    Also, I noticed that the Mcrypt module was more difficult to install in EA4. This module was enabled by default in EA3, but required running yum through the command line in EA4. Is this just because Mcrypt hasn't been fully implemented with the EA4 UI yet? Will Mcrypt eventually be added to the default profiles?

    Finally, EA4 installed a very old version of the ionCube Loader (v4.7.5) which provides less security than the current version (v5.0.18). This issue also exists in EA3, but can ionCube be updated to the latest version in EA4 and also EA3 if possible?
     
  2. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    509
    Likes Received:
    64
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Good morning!

    You can make adjustments to your servers php.ini files as you see fit. If you want to turn on short_open_tags, you can absolutely do that :) We did a lot of work to verify that the PHP configuration was generally hardened and secured as much as it could be, and this included short_open_tags, as these are used by a lot of 'script kiddies' with hacked cPanel accounts. Leaving this disabled allows a little better security there. If you feel those should be enabled by default, I'd recommend opening a feature request on that :)

    The same goes for error_reporting. You can adjust those PHP configurations on your systems as well! If scripts are using deprecated functionality, it's good for that to be known so users know their scripts are going out of date. Without that info, users will think everything is great, when in actuality they are getting closer and closer to their script not working.

    Any modules that are not provided by the default profiles will need to be installed manually via yum (for now). You can then add packages to any custom profiles so that those packages are always installed on your system. We've just recently added mcrypt to our default profiles, but those updates haven't been published to the mirrors yet.

    Both EA3 and EA4 are running Ioncube 4.7x at this time. When we were spinning up the new packages, IonCube had just released 5.x, but were making almost weekly updates that included *MAJOR* bug fixes. We hope to have updated IonCube packages for both EA3 & EA4 out here in the next few weeks.

    I hope this helps explain a little bit about how we were aiming these changes. Let me know if you have any questions, and thanks for checking out EA4!
     
  3. Josh Abbott

    Josh Abbott Member

    Joined:
    Oct 4, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Hi Jacob,

    Thank you for your reply, and addressing my concerns.

    I can understand how switching short_open_tags to "Off" may disable a few of the "script kiddie" hacks that are in circulation, but I feel that it will result in widespread security vulnerabilities in many commonly-used PHP scripts that are otherwise secure when short_open_tags is set to "On". While short tags are discouraged within some programming circles, it has been historically supported by PHP and is still common practice today. Disabling short_open_tags will not only cause those scripts to stop working properly, but more significantly, the database passwords and configuration files will be exposed as plain text by simply opening that PHP page in any web browser. This will put countless web sites, as well as their customer's data, at very high risk.

    In addition, a hosting account that has been infected by a script kiddie hack indicates that there is a more serious security issue with that account, and disabling short_open_tags will not fix the larger issue.

    I understand that I can update the INI file on the servers that I manage myself, but as a script developer, I'm also concerned about clients who manage their own cPanel servers or use one of the many hosting providers who leave INI files set to the default values. I will check into opening a feature request on this issue, but I'm concerned that hosting providers who are not PHP developers may not understand the seriousness of the issue.

    It's great to hear that you're adding mcrypt to the default profile in EA4, and updating the ionCube packages. :)
     
Loading...

Share This Page