All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
cPanel unauthenticated Remote Code Execution (CVSSv2 score 10.0 out of 10)
https://news.cpanel.com/cpanel-tsr-2016-0001-full-disclosure/
SEC-91
Summary
Unauthenticated arbitrary code execution via cpsrvd.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Description
cPanel & WHM’s internal web server, cpsrvd, did not correctly filter the request URI when processing incoming requests. Due to this, it was possible for an unauthenticated attacker to read arbitrary files and execute arbitrary scripts.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.4
11.52.2.4
11.50.4.3
11.48.5.2
And some more shit, but this one is very bad. Time to update ASAP, or be rekt...
Comments
Any idea on how long the cpsrvd exploit existed?
10/10.
Not sure, they don't mention it...
Still fun to see a few hacky scripts and a webserver marketed as a controlpanel... What did you expect?
So much perl that it can be open source and no one wants to copy it
Ah the trio of fine quality coding.. Next up.. SolusVM, then WHMCS, or is it the otherway around? I forget the defined order, then rinse/repeat.
We really need one of those Springfield nuclear accident countdowns, days since a cpanel/solusvm/whmcs vun. Also what is it with race conditions and symlinks that cpanel developers have so many problems, surely learnt once shouldn't be reappearing all over their codebase.
https://raymii.org/s/blog/Recap_of_week_03_2016.html
I won't be uploading anything after my free period is off to aws that's for sure.
https://medium.com/@karppinen/how-i-ended-up-paying-150-for-a-single-60gb-download-from-amazon-glacier-6cb77b288c3e
Yeah that one is really nasty. You think, hey very cheap storage. Which is the case until you need to restore data, jeez, almost 200 dollar...
Especially that according to that author there's no real gui client for it. I don't know if cyberduck works with(afaik cyberduck works with S3, not sure about glacier).
Anyway, as long as I have credits, I can have some VM-s there with light traffic.