Lack of cPanel staffs response to client and general peoples questions causing frustr

[hexstar]

Full title: Lack of cPanel staffs response to client and general peoples questions causing frustration

Why? Well search on this forum...you'll find many threads like this: http://forums.cpanel.net/showthread.php?t=18511 where the lack of cPanel staff response and them just being overall hard to reach for non clients cause both clients and potential clients grief...even the proftpd developer expresses frustration with this:

When that post first appeared in the cPanel forums, a user
contacted me on IRC, asking if I had more details. I did not,
so I sought to contact the people at cPanel.

First, their website makes it incredibly hard to contact
_anyone_ unless you've purchased one of their contracts.
Attempting to send email to any contact address simply
resulted in an autoresponse saying to use a certain CGI form,
which of course would not work unless you supplied a valid
license ID. It took me about a week, with some help from the
user who had a valid license, to get in touch with a human there.

Once I had that, I asked about this vulnerability. I was told
that they could not provide details, wanting to protect their
customers. So much for responsible vendors. I then requested
logs, symptoms, descriptions, _anything_ that would help me to
duplicate whatever the problem was on my own. This went on
for another week or two while I pestered. Finally, I was told
that the engineer who knew the most would get in touch with me
-- once he returned from a few weeks of vacation.

So I waited. And waited. And waited. After a few weeks, I
start asking again. Still nothing. To date, cPanel has
provided absolutely _no_ useful details; they can't even
reliably reproduce the problem themselves, and so appear to
have only anecdotal evidence.

The _most_ I was able to get out of cPanel was a statement
saying they were going to put a [email protected] address on
their site, and a promise to respond to email sent to it
quickly. Too late to be useful for me.

At this particular point, I would recommend you to NOT use
cPanel, if at all possible. They are concerned primarily with
money, and will refuse to do *anything* unless you've paid
them. Even then, their service leaves much to be desired. As
for their demonstrated stance toward open source and
responsible disclosure, well...they don't seem to care. They
have, in my eyes, needlessly and irresponsibly smeared the
reputation of my project and offered nothing in return. I
leave it to you to decide if that's the kind of company and
people with whom you want to work.

Sorry for the long rant, but dealing with cPanel for the past
few months has been incredibly frustrating and irritating.

TJ

That comment by the developer was posted to the proftp-user mailing list in response to this thread: http://forums.cpanel.net/showthread.php?t=44820

I really hope cPanel cleans up their act and becomes more responsive with the help of their clients, potential clients and just answering everyones questions, especially when it's something important like that exploit or the password change flaw

 

[BenThomas]

Why? Well search on this forum...you'll find many threads like this: http://forums.cpanel.net/showthread.php?t=18511 where the lack of cPanel staff response and them just being overall hard to reach for non clients cause both clients and potential clients grief...

I personally don't believe that the "Contact Us" link on our main page (cpanel.net) is difficult to find. Included on the contact page are two email addresses, a direct phone number, and links to "Technical Support" (for customers only) as well as our users' forum. There are a great number of people who are capable of contacting us through these methods, including many whose lack of understanding of even the most basic internet concepts prove to not be any significant barrier.

even the proftpd developer expresses frustration with this:

When that post first appeared in the cPanel forums, a user
contacted me on IRC, asking if I had more details. I did not,
so I sought to contact the people at cPanel.

<SNIP>

Sorry for the long rant, but dealing with cPanel for the past
few months has been incredibly frustrating and irritating.

TJ

That comment by the developer was posted to the proftp-user mailing list in response to this thread: http://forums.cpanel.net/showthread.php?t=44820

TJ first attempted to contact us using "[email protected]" (I'm not sure where he came up with that one), from which he received an automated response directing him to support.cpanel.net. Granted, the support.cpanel.net page is specifically tailored to customer support, I would have hoped that he saw the "Contact Us" link in the navigation menu. Following that, he apparently sent an email to several "guessed" email addresses and fortunately picked the right one. One of our administrators immediately responded to him at the start of the next day. After two days of TJ lambasting our administrators for being difficult to reach, he finally got to the point and let them know why he was contacting us (despite whatever expectations you may have, we don't know all the developers of the software included with cPanel by their given name). After TJ identified his purpose, he was immediately provided with all the information concerning the issue that we had (albeit very little info).

After reviewing the discussion with TJ and our staff, it looks like it was handled in the best possible manner. There may be points that could have been optimized, but few things work perfectly. If TJ would ask and provide us with a written request for disclosure of the conversation, then I'd be happy to post its entire content here. Then you could be the judge.

I really hope cPanel cleans up their act and becomes more responsive with the help of their clients, potential clients and just answering everyones questions, especially when it's something important like that exploit or the password change flaw

That is the lifelong pursuit of any moral, responsible company. I can understand your frustration, however there may be factors in this particular situation that you haven't considered.

When a company provides goods or services that have become an integral component of many people's economic livelihood, and something becomes evident that jeopardizes the stability of those goods or services, it is the responsibility of that company to provide due diligence in mitigating the deterious effects of those issues.

What that means in relationship to our release (to our customers only) of information that there was/is a potential root exploit in ProFTPd, is that a decision was made to inform our users of the key details of the issue, in order for our customers to mitigate the potential disaster that a root exploit poses.

If you're not happy with what was done, then imagine the alternative scenario that you seem to be asking for. We at cPanel discover evidence that servers running ProFTPd are being exploited, but because we don't have definitive evidence or a "proof of concept" of the exploit, decide to patiently wait for details to unfold. Then over the course of days/weeks/months, servers are continually compromised, and we continue to sit idle by the side.

Which is the greater disservice? To me the answer seems apparent, but you of course are capable of having a different opinion. Our actions were founded in our responsibility to our customers. We were not considering the egos of the parties involved. In hindsight the only thing that we could have and possibly should have done differently was to contact the ProFTPd developers at the same time that we released the warning to our customers. I'm not sure why that didn't happen, but it was most likely an oversight. However, that would not have altered the ensuing results in any way, it just would have made TJ a little more happy.

The reality of the situation is that no new evidence was found. Had there been any additional information, it would have been provided to the ProFTPd developers directly, and you as user's would have been excluded (as you were) from any discussion of the exploit until after the issue(s) were resolved.

I would also like to add that I don't want to discourage you from airing your grievances here. This is the cPanel Users' Forum (not to be confused with a Support Forum). There are relatively few stipulations on that freedom and they should be pretty obvious. However, I'll reiterate them for the sake of completeness: libelous statements will be treated as such, personal attacks will not be tolerated, disinformation will be corrected, and keep it PG-13 rated.

 

[electric]

= This is the cPanel Users' Forum (not to be confused with a Support Forum).

Just wanted to highlight this as a key point. It took me a while to figure this out, and at first (before I figured out these are not support forums), I thought the cpanel folks didn't care. Now I realize that there is a place for everything. Bugs and feature requests go to bugzilla.cpanel.net, and USER BASED help can be found here in the forums.



That being said, the list of bugs and improvements/features/requests/enhancements listed in bugzilla is a long one.

 

[chirpy]

Yup, a common misconception and one that is mentioned offen enough that if people use normal forum ettiquette (i.e. read the forums for a good while before posting to understand what does and doesn't get done on the forums) such mistakes can be avoided. Ultimately, going the wrong route for support just means problems will take longer to resolve. I've seen enough posts where cPanel have mentioned that their support personel are sitting waiting for your tickets, following the "open a ticket with your cPanel license provider) should be encouraged if you believe you have a genuine bug to report.

By all means discuss it here, however if it's urgent and you need results, this is not the place to look for official support.

 

[kieranmullen]

As a direct license holder with cpanel..

I have an open ticket for awhile now with cpanel for a week or so.

I doubt that they are simply waiting.. Understaffed more likely.

We discuss the issue for a few days.. one slow email at a time...

 

[chirpy]

If you're having problems with tickets getting attention I would suggest that you either escalate it through the admin staff on [email protected] or use their phone numbers listed on their contacts page.

 

[fuzzie]

Just to be clear...every time I have contacted cPanel or opened a support ticket, they have been incredibly responsive.

No open issues here.

Thanks cPanel!

 

[rpmws]

if cPanel were my company and I had even a hint of evidence that there was a root hole in any software that is controlled or included or encouraged in my product, ... I would find an alternative ,....offer and suggest it and remove support and disable the one I felt was potentially hazardous to my client's security and their businesses. Shoot first and ask questions later. I would worry about sorting it all out later when the smoke cleared. And I would tell anyone that couldn't live with it to leave to another product. I think they handled things just fine. We don't know what happened in the background. You can't ignore security issues that come to our attention. Let's leave that up to Microsoft and their once a month MSupdates.

 

[hexstar]

But I think part of TJs point is that we don't even know if cpanel staff actually found a exploit or were just trying to diss proftpd and promote the other ftp server included with cpanel...

 

[rpmws]

But I think part of TJs point is that we don't even know if cpanel staff actually found a exploit or were just trying to diss proftpd and promote the other ftp server included with cpanel...

I agree ..either way ..it's for cPanel to know and us to trust them on that or use another CP. I mean come on ..you have to trust a company that can practically shut down all of us, delete our entire boxes if they were evil with one update. It's a trust thing. I trust them. This type of thing I can see where they would not want to push it with public discussions in any way with anyone for that matter. I can live with that. I don't blame TJ for his concern however and I would be going nuts wondering what was wrong with my project as well.

 

[emechanic]

I'm going to have to agree with the majority on this topic.

I will also have to agree with frustrations some seem to get when trying to contact someone over a topic they feel to be very important and having a hard time doing it.

Since I've never had to contact cPanel support (partially because of good luck and partially because all the fine people here found a solution and posted it in the public forums) I can not say that there is anything negative to their support procedures. I'm pretty sure I would recieve support as I expect if I needed it just as everything else does (slow or otherwise).

I'm going to have to admit though that it definitly is not difficult to find contact information for cPanel. Being that most ecommerce sites have the standard issue contact page which was one of the first pages I read when I was considering cpanel I don't feel sorry one bit for anyone that has selective trouble finding it. Nothing personal but its not hidden and I'm pretty confident that everyone can find it if they really wanted too.

Now, as to exploits. cPanel Staff are not out looking for extra work for themselves. They are not going to invent some trouble just to stir the pot. I mean, really folks...

So with that in mind, they certainly don't want to be giving out exploits to just anyone. I know people are all about open information ect but generally when I find an exploitable bug in software, I write up a patch and then email the developer(s) with the patch attached. After that if anything is done thats up to them but I am definitly not going to let every blackhat hacker out there know about a new exploit for them to add to their arsenal. Let them find it, hopefully after its been patched! Providing info to non-exploitable bugs for public discussion is one thing but publishing a bug with serious exploitable potential is quite another and certainly should be patched first and then the patch released for immediate update to the public.

If some joe come up to me and ask me about an exploit I found and I didn't know for sure who he was then I wouldn't say much other then to read bugzilla. Thats just me though, I'm sure that others have a different policy but things get pretty wild on the net and I don't want to be adding more to the dangerzone when I would rather help decrease it.

Some people are just not going to be happy and they will say whatever they want. It doesn't really change much and if someone doesn't want to use cPanel for whatever reason then thats up to them, I'll still use it and I'm certainly not going to stop using it just because of a disgruntled developer no matter what software they work on.