The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Scripting Vulnerabilities

Discussion in 'General Discussion' started by Dillard, Mar 30, 2004.

  1. Dillard

    Dillard Well-Known Member

    Joined:
    Feb 26, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    The Netherlands
    As I'm subscribed to the summary emails from SecurityFocus in today's mail I read this : http://www.securityfocus.com/bid/9965 . Looked already around here, but nobody seems to have managed this already. Is this a confirmed bug ? When is it going to be fixed ?

    Dillard

    // haven't tried it out myself yet...
     
  2. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Appears to be a "low vunerability" exploit (you'd have to get somebody to follow the link and then login - using HTTP authentication only - for the exploit to work).

    I've opened an entry on Cpanel's Bugzilla system (#212) so Cpanel staff are now aware of it.
     
  3. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    As well, as of yesterday, the security audit is listed in the changelog as 45% complete. If the firm that cPanel hired is really doing their job, you can pretty much expect that as they discover vulnerabilities and exploits, they are providing cPanel with appropriate solutions/recommendations for rapid implementation.
     
  4. Dillard

    Dillard Well-Known Member

    Joined:
    Feb 26, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    The Netherlands
    Just to awaken everybody: New ones were found (http://www.securityfocus.com/bid/10002/discussion/).

    Now I know this is perhaps not the most risky hack, because people need a legitimate user-id, but it worries me, that to many notices are made on the net lately. Just imagine some scriptkiddie subscribes with one of my resellers, so he has a login to inject some script in my server.

    Not a very comforting thought !! Could someone of Cpanel give an update on the repair of this bug ?

    Dillard
     
Loading...

Share This Page