Portal Home > Knowledgebase > Articles Database > cPanel Vulnerability Found - Upgrade Recommended [MERGED]
cPanel Vulnerability Found - Upgrade Recommended [MERGED]
| Posted by ataylor, 05-02-2008, 12:18 AM |
| Just came through on the RSS feeds...
http://blog.cpanel.net/?p=39
|
| Posted by tanfwc, 05-02-2008, 12:50 AM |
| Another round of updates needed to be done again
|
| Posted by Virtuoso Host, 05-02-2008, 04:08 AM |
| Several potential security issues have been identified with cPanel software and
Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and
11.22.2 are susceptible to security issues, which range in severity from
trivial to medium-critical. Along with the discovery of these potential issues,
cPanel has released a new security tool to provide users with protection from
XSRF attacks.
Update Advisory
==============================
All STABLE and RELEASE users are strongly urged to update to their respective
11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3
release. No releases are deemed susceptible to severe, critical or root access
vulnerabilities.
XSRF Protection
==============================
cPanel has also introduced a tool designed to protect against a category of
attacks known as cross-site request forgery (XSRF). This tool will validate the
browser referrer information against an approved list of domains.
The list of approved domains is automatically determined according to the
system's configuration. Any blocked requests are presented to the end user for
approval. This additional step will minimize disruption of workflow while
protecting the user from an outside XSRF attack. This check will not prevent
bookmarked links in modern browsers from working normally.
XSRF protection is not enabled by default. It is controlled via WHM's Tweak
Settings under the Security heading. The protection may also be enabled
manually by adding the following line to the end of /var/cpanel/cpanel.config:
referrersafety=1
and restarting cpsrvd by executing /usr/local/cpanel/startup.
Regards,
Rob
|
| Posted by netomatic, 05-02-2008, 04:32 AM |
| No releases are deemed susceptible to severe, critical or root access vulnerabilities.
|
| Posted by PowerDot, 05-02-2008, 04:33 AM |
| but may break integration with other systems, login applications, and billing software.
|
| Posted by 1boss1, 05-02-2008, 04:59 AM |
| Its amazing how many cPanel exploits keep cropping up, you would think after so many years it would be rock solid by now.
|
| Posted by PCS-Chris, 05-02-2008, 08:36 AM |
| When was this information released? There was a horde exploit over a month ago now and a fix was released on the day, is this reffering to the same one?
|
| Posted by tuxg, 05-02-2008, 08:41 AM |
| No, it is a new one, released on May 1st.
http://blog.cpanel.net/?p=39
|
| Posted by Patrick, 05-02-2008, 09:18 AM |
| There are more (scarier) exploits that the public never finds out about, but silently gets fixed for the greater of good.
As for your second comment, I would have to disagree. With ever changing software, new features being added and what not, there is always going to be an increased chance of security flaws introduced into the software.
|
Add to Favourites 
Print this Article
Also Read
Voxtreme (Views: 575)