I think cPanel is still working pretty hard to fix the mess they made. If you are running phpsuexec you are not vulnerable and there is no need to upgrade - shame the big red text doesn't say that eh...
right you are. we've been running the most recent STABLE tree w/PHPsuexec and Suexec with no problems for sometime.Originally posted by rs-freddo
I think cPanel is still working pretty hard to fix the mess they made. If you are running phpsuexec you are not vulnerable and there is no need to upgrade - shame the big red text doesn't say that eh...
With Phpsuexec enabled, this disables the mod_php apache module which should take care of the security problem.
Mickalo
Upgraded apache when I saw the message in WHM as well and got the same issues like everybody else about the broken links for /cpanel and /webmail
and after waiting for a new STABLE release I had two choices to fix this problem .
Upgrade to an unstable EDGE release ( which seems to bring even more problems ) or just disable suexec .
So i just disabled suexec and the links are all working fine again .
Any feed back from you guys regarding disabling suexec ?
and after waiting for a new STABLE release I had two choices to fix this problem .
Upgrade to an unstable EDGE release ( which seems to bring even more problems ) or just disable suexec .
So i just disabled suexec and the links are all working fine again .
Any feed back from you guys regarding disabling suexec ?
Last edited:
ive got suexec disabled no security issues at all.
i run on RELEASE or CURRENT. i grab the one which is the more up to date.
i run on RELEASE or CURRENT. i grab the one which is the more up to date.
So what exactly are the security issues ?
Are the external or internal ?
Is it easier for a hacker to compromise the system externally if suexec is disabled ? Or are you just pointing out that our hosting clients are able to run cgi with the 'nobody' Id ?
Are the external or internal ?
Is it easier for a hacker to compromise the system externally if suexec is disabled ? Or are you just pointing out that our hosting clients are able to run cgi with the 'nobody' Id ?