The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Issue While Running Easyapache?

Discussion in 'Security' started by markb14391, Jul 30, 2015.

  1. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    I've noticed a potential security issue while EasyApache is running. During part of the process, visiting a PHP-based website doesn't load the site, but instead downloads the PHP file. Of course that also means that hackers can freely download files like wp-config.php and others.

    Has anyone else seen this? It seems to happen for a fairly long time during the process.

    And, most importantly, is there a fix? This is a big risk IMO.

    Thanks,

    Mark
     
  2. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Hello,

    The cause is that you recompile PHP from beginning, if anyone tries to open a PHP script, Apache won't find any handler to handle this extension with, so instead it will download the file.

    If you tried it a lot of times and the same happened -I didn't try it- then it's a security flaw and maybe a workaround from cPanel that they can stop Apache during the compilation of PHP.

    I guess this has been made from their end to prevent any downtime during Recompilation but sure none of us will prefer performance over security except few.

    Thanks for pointing to that.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I have never seen this behaviour, but if you believe it to be a reproduceable security risk you need to email security [at] cpanel.net instead of posting it publicly.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you open a support ticket using the link in my signature so we can attempt to reproduce the issue on your system and determine why it's happening? Please post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I've been unable to locate a support ticket for this issue. Were you able to open a support ticket or address the issue through another method? I look forward to your response.

    Thank you.
     
  6. feldon27

    feldon27 Well-Known Member

    Joined:
    Mar 12, 2003
    Messages:
    111
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Houston, TX
    Why does this need a support ticket? Does the EasyApache code take Apache offline or provide a failure handler for PHP files during the entire process or not?
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    EasyApache restarts Apache with the new build once completed. There shouldn't be any issue with that. Apache restarts for lots of things. Adding a new account for example. If there's enough time to go to your website and download the file(s) from it, you might want to have that server looked at to find out why it's taking so long for Apache to restart.

    Opening a ticket to cPanel Technical Support would get to the bottom of the issue far faster than this thread will.
     
    quizknows likes this.
  8. feldon27

    feldon27 Well-Known Member

    Joined:
    Mar 12, 2003
    Messages:
    111
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Houston, TX
    So, just as an idea, when EasyApache install starts running, I'd make EA add a directive to httpd.conf so that all *.php files get a temporary 403 Forbidden code. When EA is complete, it would remove this directive. This way end users can't read PHP source code while PHP is being compiled. Feedback is appreciated before I post it as a cPanel/WHM suggestion. There are any number of problems I might not have thought of.

    If having an automatic blockage of PHP is a Bad Idea [tm], then it might be interesting to add a button/script under EasyApache "Disable PHP websites from loading on this server." and then display a red warning banner at the top of WHM as long as this feature is turned on.

    For now, I plan to STOP the apache service and make sure it stays stopped until PHP is ready. This may be tricky if EA attempts multiple restarts before PHP is ready. This fits in the "experienced server admins wouldn't possibly need this, but WHM/cPanel's target audience might benefit from it" category.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This. So much this. There should be no reason for .php files to load as source code during the EasyApache process. Apache runs during it and restarts quickly once it's completed. If Apache goes down during the build it's my understanding that it won't restart until the build completes, but if Apache is down then there should be no way for files to be web accessible at all (barring consideration of nginx or custom setups).
     
  10. feldon27

    feldon27 Well-Known Member

    Joined:
    Mar 12, 2003
    Messages:
    111
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Houston, TX
    So as a guess... It makes me wonder if the OP forced a restart on Apache before everything was built?
     
  11. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    508
    Likes Received:
    64
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    During an EasyApache run, Apache stays running in the background, and only restarts once the new Apache binaries have finished building successfully. This ensures that there is 0 downtime during an EA build. If you stop, restart or mess with Apache while EA 3 is building, this will cause your sites to go down and not come back until after the build has completed.
     
Loading...

Share This Page