The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security vulnerability in PHP

Discussion in 'Security' started by GordonH, Dec 21, 2003.

  1. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know the timeframe Cpanel has for fixing this hole?

    If its not fixed by Christmas day I would expect all cpanel hosts to be in serious difficulty.

    Gordon
     
    #1 GordonH, Dec 21, 2003
    Last edited: Dec 22, 2003
  2. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    did u report this bug to them?
     
  3. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    Yes. It was reported some time ago but we have not had any notification of a fix or any intention of a fix.

    The situation is very serious and means that no cpanel server is secure.

    I am fully expoecting a major Christmas day attack.

    Gordon
     
    #3 GordonH, Dec 22, 2003
    Last edited: Dec 22, 2003
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    You know mate.. i don't think the crackers heard you the first post.. might want to start posting this to all known forums on the internet so we can all get hacked.
    <!-- end sarcasm -->

    Send an email to nick, submit a ticket flag it as EXTREMELY URGENT.. but DON'T post it to the public! I mean come on!
     
  5. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    I have not explained how to do it, just that a hole exists.

    This is the same with Linux or apache, a hole appears and it gets fixed. While the hole is open people know about it and we just have to wait for the fix.

    This was reported as urgent and it has not been addressed.

    I believe that all of us will be in the sh*t on Christmas day.

    Traditionally Christmas day has been our worst day of the year for fraud and other issues like this.

    If we had received a response from cpanel I would not have needed to post this information, but I feel I have no choice under the curcumstances.

    Its possible I am wrong. In which case Cpanel just have to say that I am talking cr*p and explain the past 24 hours of DDOS attacks which have apparently used this hole.

    To preserve your sensibilities I may remove wsome of my original post but I dont know how to get this issue addressed otherwise.

    Gordon
     
  6. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    I am already DESPERATE.

    DESPERATE.

    I can see our entire business collapsing permanently over the next few days without a fix for this.

    I am putting another bug ticket in but it is really beyond this level of issue.
    It is a threat to the whole cpanel product.
     
  7. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    OK
    A new bug report has been submitted.

    The last one I put in took 5 months to get a reply.
     
  8. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    Now that I have edited my original post it looks as if this is a security issue with PHP.

    This would be dealt with by the PHP development people.

    However, it is a problem specific to Cpanel.

    Without the original post no one is going to understand what I am talking about or why I think its so serious.

    All I can say is "roll on Christmas day".

    I have a fix but its radical and would cause major problems for customers, but if necessary we will have to make those changes, but doing it to so many servers would be a nightmare.
    It would be better if cpanel addressed the issue rather than us having to disable chunks of cpanel.

    Gordon
     
  9. Joshfrom

    Joshfrom Well-Known Member

    Joined:
    Jun 3, 2003
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    White Haven, PA, US
    GordonH,

    It would help us if you provide the ticket number in your post so that we can track what you're talking about.
     
  10. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Isn't "php open_basedir Tweak su" in WHM suppose to prevent things from happening using php?
     
  11. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16

    Yeah this guy is a real rocket scientist.

    Gordon how about posting the ticket number as requested by cPanel so they can get things rolling? Did you bother to pick up the telephone and call them? Leave a message?

    cPanel dudes: Any chance of creating a private mailing list for owners of cPanel? This could be used for quick distribution of security related information such as this? I don't check these boards frequently enough for this to be the primary form of *important* information about the products (yes, multiple licenses) I purchased directly from cp.


    Also, any chance of creating a security alert email address or something to that effect where cPanel could be notified quickly when something like this occurs in the future?
     
    #11 netwrkr, Dec 31, 2003
    Last edited: Dec 31, 2003
Loading...

Share This Page