The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WysiwygPro / File manager exploit

Discussion in 'General Discussion' started by hostricity, Mar 18, 2006.

  1. hostricity

    hostricity Active Member

    Joined:
    Jun 22, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    I've seen a number of comments and threads about file manager and WysiwygPro exploits. But, nothing useful. So, perhaps, someone might answer these questions for me:

    1. What is the wysiwygPro exploit?

    2. Is there a file manager exploit?

    3. What version of cpanel do I have to be up to in order to fix it?

    Thanks.
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  3. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    This exploit has been actively "in the wild" now for two weeks. It was fixed in Edge almost 2 weeks ago. cPanel really needs to start moving the current Edge build down to Current, Release and Stable builds.

    I can't understand why they are taking so long...
     
  4. hostricity

    hostricity Active Member

    Joined:
    Jun 22, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Security fixes

    Security fixes need to be applied accros edge, release, and stable. I've been advised not to run edge repeately. I don't like the vulnerability of having my servers vulnerable for weeks while we wait for a fix to migrate down through the various builds.

    I'd go so far as to say that is irresponsible on Cpanel's part not to make sure that all releases have needed security fixes as soon as possible.

    ALSO: Is the file manager exploit the same issue or a different one? If different, has it been fixed?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It cannot be fixed across what you call all versions as I have said before - there is only one version system for cPanel, the builds are simply milestones within that version. If you want protection you'll simply have to go to EDGE at this stage. If you want to know when the other trees versions will change, you'll have to contact cPanel. Having cPanel simply change RELEASE to the version that EDGE is at doesn't do anything at all except change the number, nothing in the code will change for it.
     
  6. hostricity

    hostricity Active Member

    Joined:
    Jun 22, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    This is EXTREMELY irresponsible

    Here's what you said:

    When a new "edge" version is released, the current "edge" becomes the new "release" version, and the current "release" becomes the new "stable" version.

    This means that:

    It is EXTREMELY DANGEROUS to run anything other than the "edge" version. Here's why:

    When a bug in the "edge" version is fixed in a new "edge" version, all you did is push the bug from the "edge" version to the "release" version where the bug will remain until you do another "edge" release.

    When the next "edge" version is released, now the bug has been moved to the "stable" version where the bug will be active until the next "edge"version is released.

    The"edge", "release", and "stable" version names are quite misleading.

    I'll bet that most cpanel customers think that the "edge" version is a release candidate and that any critical bugs found will be fixed before it becomes the "release" version and that any further critical bugs in the "release" version will be fixed before it becomes the "stable" version.

    How often do you do new "edge" versions?

    Don't you think it is irresponsible to push a bug from the "edge" version to the "release" version, to the "stable" version?

    When the bug is a security exploit, that means "release" version users have a higher chance of getting exploited, and "stable" version users have an even greater chance of getting exploited because the exploit becomes more dangerious as more and more hackers discover the exploit and attempt to hack servers with it.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's something you should put to cPanel directly.

    It's my understanding that they: release EDGE for those that want to run the latest code (i.e. early adopters) and to wean out any bugs in newly developed features and bug fixes. Once that they've increased the EDGE version to one they deem is stable enough they post a CURRENT milestone. Then they fix any bugs that come up from the CURRENT to EDGE release until that is stable. Then they'll post a new RELEASE milestone and so on to STABLE. This means that STABLE is the oldest code and, in theory, the most tested.

    Personally, I have only ever run EDGE. If you're happy to help cPanel fix bugs and work with bugzilla and understand where problems are, it's usually the most bug free version. However, if you want to be more conservative use the trees lower down. However, if you need a certain feature in a given release number you can, if you wish, upgrade to the corresponding tree until the tree that you normally use reaches the same version at which time you can simply step down again.

    If you don't like it, feel free to complain to cPanel about it, but it's the way they have done it for years and the number of release trees is there from customer demand.
     
  8. hostricity

    hostricity Active Member

    Joined:
    Jun 22, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Ok

    Chirpy:

    First you said that they simply rolled the numbers from one version to the next. Now, you are saying that they make updates to the edge version before it becomes the release version, and to the release version before it becomes the stable version.

    What you just described is the way I expected it would happen.

    If I didn't understand what you were saying, I apologize.

    On the other hand, I am still concerned with security exploits. It would seem that they should be applied to all three versions as appropriate. I will contact cpanel directly about this.

    Geoff
     
  9. kdarray

    kdarray Well-Known Member

    Joined:
    Apr 13, 2006
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Washington
    Alternative to WysiwygPro

    Does anyone know of an alternative to the WysiwygPro. Removing it from clients sites will leave those that use it in a lurch. Is there some other easy editor, thats secure, I can offer up as an alternative.

    Please point me in the right direction. The dozen of so that use it, it's all they understand.
     
  10. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    Use the WysiwygPro / File manager the issue has been fixed for over a month in edge and new current version was made available last week with the fix included
     
  11. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Really? What version of release was this fixed in?
     
  12. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    I don't believe anyone said anything about it being fixed in release :rolleyes:

    It is fixed in EDGE and CURRENT.
     
  13. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    You said it was fixed and you did not specify which version did you? There have been zero updates to release in over 6 weeks!
     
    #13 jackie46, Apr 24, 2006
    Last edited: Apr 24, 2006
  14. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    What part of what I said is hard for you to understand ????????????

    Are the words too big for you or what ? :p
     
Loading...

Share This Page