WysiwygPro / File manager exploit

H

hostricity

Active Member
Jun 22, 2004
39
0
156
I've seen a number of comments and threads about file manager and WysiwygPro exploits. But, nothing useful. So, perhaps, someone might answer these questions for me:

1. What is the wysiwygPro exploit?

2. Is there a file manager exploit?

3. What version of cpanel do I have to be up to in order to fix it?

Thanks.
 
rs-freddo

rs-freddo

Well-Known Member
May 13, 2003
828
1
168
Australia
cPanel Access Level
Root Administrator
This exploit has been actively "in the wild" now for two weeks. It was fixed in Edge almost 2 weeks ago. cPanel really needs to start moving the current Edge build down to Current, Release and Stable builds.

I can't understand why they are taking so long...
 
H

hostricity

Active Member
Jun 22, 2004
39
0
156
Security fixes

Security fixes need to be applied accros edge, release, and stable. I've been advised not to run edge repeately. I don't like the vulnerability of having my servers vulnerable for weeks while we wait for a fix to migrate down through the various builds.

I'd go so far as to say that is irresponsible on Cpanel's part not to make sure that all releases have needed security fixes as soon as possible.

ALSO: Is the file manager exploit the same issue or a different one? If different, has it been fixed?
 
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
It cannot be fixed across what you call all versions as I have said before - there is only one version system for cPanel, the builds are simply milestones within that version. If you want protection you'll simply have to go to EDGE at this stage. If you want to know when the other trees versions will change, you'll have to contact cPanel. Having cPanel simply change RELEASE to the version that EDGE is at doesn't do anything at all except change the number, nothing in the code will change for it.
 
H

hostricity

Active Member
Jun 22, 2004
39
0
156
This is EXTREMELY irresponsible

chirpy said:
It cannot be fixed across what you call all versions as I have said before - there is only one version system for cPanel, the builds are simply milestones within that version. If you want protection you'll simply have to go to EDGE at this stage. If you want to know when the other trees versions will change, you'll have to contact cPanel. Having cPanel simply change RELEASE to the version that EDGE is at doesn't do anything at all except change the number, nothing in the code will change for it.
Click to expand...
Here's what you said:

When a new "edge" version is released, the current "edge" becomes the new "release" version, and the current "release" becomes the new "stable" version.

This means that:

It is EXTREMELY DANGEROUS to run anything other than the "edge" version. Here's why:

When a bug in the "edge" version is fixed in a new "edge" version, all you did is push the bug from the "edge" version to the "release" version where the bug will remain until you do another "edge" release.

When the next "edge" version is released, now the bug has been moved to the "stable" version where the bug will be active until the next "edge"version is released.

The"edge", "release", and "stable" version names are quite misleading.

I'll bet that most cpanel customers think that the "edge" version is a release candidate and that any critical bugs found will be fixed before it becomes the "release" version and that any further critical bugs in the "release" version will be fixed before it becomes the "stable" version.

How often do you do new "edge" versions?

Don't you think it is irresponsible to push a bug from the "edge" version to the "release" version, to the "stable" version?

When the bug is a security exploit, that means "release" version users have a higher chance of getting exploited, and "stable" version users have an even greater chance of getting exploited because the exploit becomes more dangerious as more and more hackers discover the exploit and attempt to hack servers with it.
 
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
That's something you should put to cPanel directly.

It's my understanding that they: release EDGE for those that want to run the latest code (i.e. early adopters) and to wean out any bugs in newly developed features and bug fixes. Once that they've increased the EDGE version to one they deem is stable enough they post a CURRENT milestone. Then they fix any bugs that come up from the CURRENT to EDGE release until that is stable. Then they'll post a new RELEASE milestone and so on to STABLE. This means that STABLE is the oldest code and, in theory, the most tested.

Personally, I have only ever run EDGE. If you're happy to help cPanel fix bugs and work with bugzilla and understand where problems are, it's usually the most bug free version. However, if you want to be more conservative use the trees lower down. However, if you need a certain feature in a given release number you can, if you wish, upgrade to the corresponding tree until the tree that you normally use reaches the same version at which time you can simply step down again.

If you don't like it, feel free to complain to cPanel about it, but it's the way they have done it for years and the number of release trees is there from customer demand.
 
H

hostricity

Active Member
Jun 22, 2004
39
0
156
Ok

Chirpy:

First you said that they simply rolled the numbers from one version to the next. Now, you are saying that they make updates to the edge version before it becomes the release version, and to the release version before it becomes the stable version.

What you just described is the way I expected it would happen.

If I didn't understand what you were saying, I apologize.

On the other hand, I am still concerned with security exploits. It would seem that they should be applied to all three versions as appropriate. I will contact cpanel directly about this.

Geoff
 
kdarray

kdarray

Well-Known Member
Apr 13, 2006
81
0
156
Washington
Alternative to WysiwygPro

Does anyone know of an alternative to the WysiwygPro. Removing it from clients sites will leave those that use it in a lurch. Is there some other easy editor, thats secure, I can offer up as an alternative.

Please point me in the right direction. The dozen of so that use it, it's all they understand.
 
J

jackie46

BANNED
Jul 25, 2005
536
0
166
dave9000 said:
I don't believe anyone said anything about it being fixed in release :rolleyes:

It is fixed in EDGE and CURRENT.
Click to expand...
You said it was fixed and you did not specify which version did you? There have been zero updates to release in over 6 weeks!
 
Last edited:
dave9000

dave9000

Well-Known Member
Apr 7, 2003
888
1
168
arkansas
cPanel Access Level
Root Administrator
Use the WysiwygPro / File manager the issue has been fixed for over a month in edge and new current version was made available last week with the fix included
Click to expand...
What part of what I said is hard for you to understand ????????????

Are the words too big for you or what ? :p
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M Problem with wysiwygPro HTML editor File Management 8
T WysiwygPro error File Management 5
BOates "No input file specified." with WysiwygPro in IE - Latest cPanel build broke it? File Management 8
M WysiwygPro -file manager html editor upgrade? File Management 3
rvskin HTML Editor(wysiwygpro) under File Manger Error File Management 0
Similar threads
Problem with wysiwygPro HTML editor
WysiwygPro error
"No input file specified." with WysiwygPro in IE - Latest cPanel build broke it?
WysiwygPro -file manager html editor upgrade?
HTML Editor(wysiwygpro) under File Manger Error
Top Bottom