Have you done anything to enhance security?

bert

Well-Known Member
Aug 21, 2001
602
0
316
Is the XMB board you guys put on cpanel modified?

I really hope it is and that you are full aware of the security issues with it:
http://www.hackers.com/new/currentnews.php?nid=6
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
I am still waiting for someone from Cpanel to at least let us know if anything has or will be done to enhance security. We don't need features like these. Filling a control panel with crappy scripts creates more of a problem than a convenience.
 

patchwork

Well-Known Member
Nov 2, 2001
95
0
316
Maybe they could replace it with phpbb http://sourceforge.net/projects/phpbb/

I have not used it much but it seems like a good free forum system.

Pete
 

AbeFroman

BANNED
Feb 16, 2002
654
1
318
customer forum

Does the customers forum come with CPanel? i want to get one!
 

dolphyn

Well-Known Member
Nov 27, 2001
64
0
306
cPanel Access Level
Root Administrator
I've looked into this a little more, and it appears to me that the CPanel version of XMB has resolved the issues mentioned in the hackers.com article (though not in the same way as suggested by hackers.com).

The headers.php file begins with [b:6027ab375a]$tempcache = &&;[/b:6027ab375a], which seems to resolve the first issue.

The post.php file includes [b:6027ab375a]if (!is_uploaded_file($attach)){die(&file upload failed&);}[/b:6027ab375a] which seems to resolve the second issue.

HOWEVER, the CPanel installation includes the file [b:6027ab375a]newinstall.php[/b:6027ab375a], which can be easily exploited to delete all of the data, and I suspect this is how my customer's forum was hacked. Anyone using XMB should delete this file.
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
My best recommendation is to remove XMB from the Cpanel skins in use and notify customers who have it that there are serious security risks and recommend their removal. We as hosts have too many duties and responsibilities and it is ridiculous to troubleshoot, work on or improve poorly written software.

I did all of the above and I know I am saving myself a lot of trouble.

My $0.02 ;)
 

aventuremedia

Registered
May 7, 2002
2
0
301
Re

Hi, we took over the development in Feb 2002 from the old team.
ALL security issues have been fixed in the new XMB 1.6 Magic Lantern edition, which from what I hear is now available in the latest CPanel.

Richard
Aventure Media
http://www.aventuremedia.com
 

bert

Well-Known Member
Aug 21, 2001
602
0
316
Great! Thanks for letting us know Richard. :)