The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FAQ: Are there / have there been any security issues with cPanel?

Discussion in 'Security' started by projectandrew, Jul 19, 2004.

  1. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    FAQ: Are there / have there been any security issues with cPanel?

    * For the latest version of this FAQ, visit http://unofficial-support.com/node/view/55 *


    Like any software, cPanel is in constant development - bugs are being reported and fixed all the time. Depending on the build you decide to stay current with (FAQ: What is the difference between BETA, DNSONLY, EDGE, CURRENT, RELEASE and STABLE builds?) will depend on how many 'bugs' have been found and quashed. Unfortunately, some of the bugs that have been discovered have opened up some security issues, which has increased the risk of a server being 'compromised'.

    cPanel is currently at version 9.x - the security advisories related to this version are listed below:

    <image>

    <image>

    <image>

    <image>

    So far in 2004, there have been 7 advisories - these are listed below, with the most recent first:

    * cPanel "passwd" Script Database Password Manipulation Vulnerability
    * cPanel suEXEC Privilege Escalation Vulnerability
    * cPanel killacct Script Arbitrary DNS Information Deletion Vulnerability
    * cPanel mod_php suexec Privilege Escalation Vulnerability
    * cPanel Multiple Cross-Site Scripting Vulnerabilities
    * cPanel Login Command Injection Vulnerability
    * cPanel Password Reset Command Injection Vulnerability

    All theses security issues have been fixed, and at the time of writing, there are currently no known security issues (as long as you are running the latest build).
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Nothing like reporting to the world and hackers how to exploit cPanel if your not running the latest versions.

    Not very smart if you ask me. The least you should do is not provide examples.
     
    #2 dgbaker, Jul 19, 2004
    Last edited: Jul 19, 2004
  3. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    There is no security in obscurity - this information is freely available to anybody on many sites across the internet. The one I have referenced (http://www.secunia.com/) is one I visit daily as part of my day to day job as an information security consultant.

    The difference between you and the hackers, is that they have always known about these sites, such as Secunia.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Point well taken.

    I just re-read my post, sorry I did not mean it to come accross as it read back.
     
  5. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    No offence taken :)
     
Loading...

Share This Page