WebHostGear.com - the hosting resource for professionalshosting tutorials hosting howto webhost guide server managementOctober 10, 2008
server management, apache tutorials, hosting tutorials, cpanel, server security
Home | Blog | Hosting Forums | Most Popular | Top Rated | Search | RSS Syndicate | Contact Us | Site Map

Advanced Search
Search Forums

Categories:
Hire an ExpertHire an Expert
Hosting BlogBlog
ArticlesArticles
Hosting TutorialsHosting Tutorials
cPanel TutorialscPanel Tutorials
Server SecurityServer Security
InterviewsInterviews
ReviewsReviews
Web Host NewsWeb Hosting News
ForumsHosting Forums
ProjectsProjects

Special Offer:

Site Related:
Submit hosting articleSubmit Article
AdvertiseAdvertise
About UsAbout Us
WebhostGear PartnersPartners
SyndicateRSS Syndicate
Write for usWrite for us
Recommend UsRecommend Us
DisclaimerDisclaimer
Contact UsContact Us
Site MapSite Map

Free Newsletter:

Subscribe to our free newsletter and receive, tutorials, reviews and more all related to the hosting industry.
E-mail Address:

First Name:



$50 OFF Coupon for Dedicated and VPS Servers

cPanel Dedicated Servers 		Home / Web Hosting News / Cpanel Security Advisory - Read

Cpanel Security Advisory - Read



Printer Friendly Printer Friendly Send to a friend Send to a friend
By : ramprage Rating : Not Rated

There has been a urgent security advisory for all Cpanel users that can allow an attacker to execute remote commands and possibly gain root access. Warning this exploit is the the wild, update your servers now! One of my servers was rooted by this exploit.

We received this notification from Security Focus:

cPanel Security Advisory - CPANEL-2004:01-01

---------------------------------------------
Date: Thu Mar 11 2004
---------------------------------------------

---------------------------------------------
Summary:
---------------------------------------------

Due to a recently discovered bug, it will be necessary for users
following the STABLE and RELEASE branches to disable the feature that
allows users to reset their password. For those following the EDGE and
CURRENT branches, the latest updates have been fixed.  A review of the
RELEASE tree is still pending, and fixed RELEASE builds may be available
in the next 48 hours as well.

---------------------------------------------
Description:
---------------------------------------------

The feature "Allow cPanel users to reset their password via email",
found in WebHostManager in the "Tweak Settings" section allows for a
cpanel user to run some commands as the root user.
This hole is built in to all compiled cpanel binaries and as such can
not be "patched".

Article provided by WebHostGear.com

For users of STABLE and RELEASE branches it is strongly suggested that
you disable this feature.

For users of the EDGE and CURRENT branches, the latest builds have been
updated and compiled without this bug.

---------------------------------------------
References:
---------------------------------------------

http://www.securityfocus.com/archive/1/357064/2004-03-08/2004-03-14/0

---------------------------------------------
Affected Systems:
---------------------------------------------

All builds on all platforms are vulnerable up to and including (9.1.0
build 34), all builds after that have been fixed.

---------------------------------------------
Fix Details:
---------------------------------------------

For STABLE and RELEASE suers, to remove this feature from user's
cPanels, log into WebHostManager as root, open the "Tweak Settings"
page, and uncheck the box next to "Allow cPanel users to reset their
password via email" and save the change.

For EDGE and CURRENT users, update cPanel. The suggested method is to do
the following as root from the shell.

# /scripts/upcp

You can also do this from inside WebHostManager.

This should update the cPanel and WHM package to the latest version
available where this hole does not exist.

You should also disable the password reset option explained here.
---------------------------------------------

If you find there is still a problem with this after updating to the
versions mentioned above, please file a support ticket with the cPanel
Technical Support team at http://support.cpanel.net/.

New! - Need server help? Hire an Expert

Get professional help with your configuration, script installation or server issue.
Learn how we can help you with any server problem and make your server run like new. Professional staff will contact you, after submitting a quote request, by phone or email.

Rate this Article :

1
2
3
4
5
6
7
8
9
10
Poor Excellent

Related Articles


» Disabling Password Reset Option


Discuss this article with others in our new hosting forums

Comments / Feedback

 Add Comment
Name
Email
Image Code
Refresh Image
Comments / Feedback



Web Hosting News RSS ?


WebHostGear Hire an Expert - NEW!
Let us improve your servers performance, find that spammer and take care of that kernel upgrade. Hire us to help with any tutorials listed on the site or any other services needed. Get your free, NO obligation quote now

Our site offers free hosting tutorials, cpanel tutorial, web hosting news, shell commands, running a web hosting business, dedicated guides, linux tutorial, apache install, home web server, web server guide, ssh commands, dedicated servers, DNS nameservers, chkrootkit, apf firewall, exim configuration, server compromised, cron backup solution, ftp backup script

Server Tutorials


WebHostGear Reviewed by Ping Zine - Click here

Special Offer:


Links:
cPanel server administration

MidPhase Coupons

Reseller Hosting

Reseller Hosting FAQ

Icon

Web Hosting

Datacenter Discussion Forum

Lunarpages Coupon

Hosting Coupon



WebhostGear Sponsors
Copyright © 2003-2006 WebHostGear.com - A Wave Point Media property.
Going Up Advertise Hosting Free Uptime Check Web Hosting Chat Icons Banners Mall