Cpanel Security Advisory - Read Published: Mar 13, 2004

• Rating

  0/5

There has been a urgent security advisory for all Cpanel users that can allow an attacker to execute remote commands and possibly gain root access.

There has been a urgent security advisory for all Cpanel users that can allow an attacker to execute remote commands and possibly gain root access. Warning this exploit is the the wild, update your servers now! One of my servers was rooted by this exploit.

We received this notification from Security Focus:

cPanel Security Advisory - CPANEL-2004:01-01

---------------------------------------------
Date: Thu Mar 11 2004
---------------------------------------------

---------------------------------------------
Summary:
---------------------------------------------

Due to a recently discovered bug, it will be necessary for users
following the STABLE and RELEASE branches to disable the feature that
allows users to reset their password. For those following the EDGE and
CURRENT branches, the latest updates have been fixed.  A review of the
RELEASE tree is still pending, and fixed RELEASE builds may be available
in the next 48 hours as well.

---------------------------------------------
Description:
---------------------------------------------

The feature "Allow cPanel users to reset their password via email",
found in WebHostManager in the "Tweak Settings" section allows for a
cpanel user to run some commands as the root user.
This hole is built in to all compiled cpanel binaries and as such can
not be "patched".

For users of STABLE and RELEASE branches it is strongly suggested that
you disable this feature.

For users of the EDGE and CURRENT branches, the latest builds have been
updated and compiled without this bug.

---------------------------------------------
References:
---------------------------------------------

http://www.securityfocus.com/archive/1/357064/2004-03-08/2004-03-14/0

---------------------------------------------
Affected Systems:
---------------------------------------------

All builds on all platforms are vulnerable up to and including (9.1.0
build 34), all builds after that have been fixed.

---------------------------------------------
Fix Details:
---------------------------------------------

For STABLE and RELEASE suers, to remove this feature from user's
cPanels, log into WebHostManager as root, open the "Tweak Settings"
page, and uncheck the box next to "Allow cPanel users to reset their
password via email" and save the change.

For EDGE and CURRENT users, update cPanel. The suggested method is to do
the following as root from the shell.

# /scripts/upcp

You can also do this from inside WebHostManager.

This should update the cPanel and WHM package to the latest version
available where this hole does not exist.

You should also disable the password reset option explained here.
---------------------------------------------

If you find there is still a problem with this after updating to the
versions mentioned above, please file a support ticket with the cPanel
Technical Support team at http://support.cpanel.net/.