garrigue Posted November 30, 2020 Posted November 30, 2020 Hello, Apparently, there is a vulnerability on Cpanel. Here is the official announcement: cPanel TSR-2020-0007 Full Disclosure | cPanel Newsroom If I understand correctly, it has been resolved on the last version of Cpanel. So, to secure our Cpanel, do you plan to update all Cpanels ? Best regards,Julien
Flaze Posted November 30, 2020 Posted November 30, 2020 This support request is being escalated to our root admins. 1
wolstech Posted November 30, 2020 Posted November 30, 2020 I’ll let Krydos have the final say, but I will say this: We very rarely (I can think of once in my 8 years, so effectively never) install cPanel’s updates on our servers because they typically break the server. We make extensive modifications to cpanel to accomplish what we would do with it (insomuch that cPanel support has told us we are one of if not *the* most extreme use case they’ve seen). The updates end up overwriting half of those changes and breaks the server. 1
Krydos Posted November 30, 2020 Posted November 30, 2020 Due to this mistake, a cPanel & WHM user could be misled into performing actions they did not intend.This would really only affect regular users, and it would only affect their one account. If they clicked a bad link it could do something they didn't intend to their account. Since it would only affect the one account it wouldn't do much. People set terrible passwords and get their accounts hacked all the time, and that gives the hacker full control over their account. Clicking a strange link would give even less access than that probably. A bigger concern would be if a root admin with access to WHM clicked a suspicious link, but there's only 4 of us and I hope we're all smart enough not to click WHM links from someone we don't know. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.Only about 10 out of 5000 accounts even use two-factor authentication. It seems like most people wouldn't even care about this one. Error messages in the WHM Transfer Tool Interface were not properly encoded. This allowed the injection of HTML into some error messages displayed for invalid inputs.We don't even use this. We use a custom command line script that I wrote to transfer accounts that definitely isn't vulnerable to html injection. The brute force on two-factor authentication is a little concerning for the few people that actually use it, but like I said it definitely doesn't affect many. I have some other reasons to update cpanel on Tommy before too long so this will probably get fixed soon enough. 1
garrigue Posted December 1, 2020 Author Posted December 1, 2020 Thank you very much @krydos for all detailed explanations and your reassuring message. We can close this case. Best regards, Julien
garrigue Posted December 1, 2020 Author Posted December 1, 2020 Thanks to all of you by the way @flapeze and @wolstech
Recommended Posts