The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Where is the list of security advisories attended to?

Discussion in 'Security' started by anup123, Feb 5, 2006.

  1. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Hello,

    It is fine that cPanel expects that any security vulnerability be reported to security at cpanel.net
    However, is there any feedback available as to what have been attended to and what have not been found as a fit case even worth an attention. There is a recently reported cross site scripting vulnerability in one of the components (3rd Feb 2006). No one is sure as to what has been done as changelog is unattended to since January 5th 2006. Sending mails to security at cpanel.net gets no feedback.

    Anup
     
  2. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    bugzilla.cpanel.net
     
  3. brentp

    brentp Well-Known Member

    Joined:
    Mar 11, 2004
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ayr, North Queensland, Australia
    As far as i know, security@cpanel.net sends a message to nicks pager once you verify the msg (but i might be wrong). Secunia.com keeps track of all vulnerabilities recorded, and by the way, half of the cpanel vulnerabilities are bogus. It's not really a vulnerability if its behind an AUTHED area. Its kind of like saying "YOU CAN ACCESS SOMEONES CPANEL IF YOU KNOW THEIR U/P LOL!!!111".


    Regards,
    Brent
     
  4. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Yup much like the "bogus" scare for Intel for HT cpu's which the whole world made an isuue of and Intel responded :)

    Anup
     
  5. jwiens

    jwiens Member

    Joined:
    Mar 8, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    It's still a serious security risk. You can use this vulnerability to steal someone's account without a username and password. For an explanation of how cross-site-scripting works, see my other post on the subject.
     
  6. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Actually all it would take is sponsoring an account on your competitor's server just to create menace when such "Apparently Bogus" vulnerabilities are reported. I am sure all amusement derived from secunia's apparently bogus reportings would turn into nightmare.

    Anup
     
Loading...

Share This Page