[CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

Starburst already gave the answer above:

You need to have your php.ini secured, and run ModSecurity with the latest OWASP CRS ruleset.
Along with running the latest PHP version you choose, 8.1, 8.2, 8.3 or 8.4

And he has guides for updating ModSecurity and the OWASP CRS ruleset (tested on both AlmaLinux 8 and 9):
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-modsecurity-to-2-9-12-running-cwp-and-apache-on-almalinux-9/
https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-owasp-crs-ruleset-running-cwp-and-apache-on-almalinux-9/

Those guides are pointless for this issue.
They are to protect the websites, not the CWP itself. The RCE was a exploit in the CWP file manager, not in the websites.

Kindle don't provide false information, and dont mislead users to somethint that is not. You don't appear to even know what is a exploit... even less to provide info about waf protection rules - that, again, DO NOTHING about this issue in CWP.

Hi djprmf,

Thank you for contribution in the 1st paragraph, it is correct and may yet proove helpful to someone.

Your 2nd paragraph however is simply a personal attack on a well respected member of our community to which I and many other members in this forum do not appreciate. Please reframe from such outbursts or if you cannot simply STFU.

Hi 6sense.

https://forum.centos-webpanel.com/informations/is-cwp-still-maintained/
Read the topic.

You cannot take seriously someone that don't know the difference between a PHP exploit and a exploit in a implementation of the code in a application.

He could be a great person, but doesn't know what is talking and is misleading others.

Is ok to say that you don't know something.it is NOT OK to provide false information. And that was what he have done the entire time.
So yes,I provide proofs and knowledge,things that ANYONE CAN SEE AND KNOWS.

not a word from someone...

Bit is simple.prove me wrong....

Then take your conclusions...

Are you just trying to inflate your post count? It seems that any meaningful contribution to this thread and forum community has ceased a while ago. You're beating a war drum with no soldiers rallying behind you, so it rings more than hollow.

I have not posted False or Mis-information.
Your post doesn't even make sense.

And all here know that I know what I'm talking about from my posts.

So just insulting me and others here hasn't made you any friends and lost you any support.

Unlike yourself.

I'm guessing your some kid or tween who just wants to come on the forums, post your BS mis-information, and argue with everyone.

So FOCUS...

This is NOT a CWP bug.

PHP Injection Attacks will happen whenever.

You need to have your php.ini secured, and run ModSecurity with the latest OWASP CRS ruleset.
Along with running the latest PHP version you choose, 8.1, 8.2, 8.3 or 8.4

You'll also need to configured the OWASP base rules for services you run on that server.

NOTE: The CWAF ruleset is dead, and the last update was over a year ago.
Which is sad, this was a great ruleset.

For the PHP Injection Attack that has been going around, there has been fixes here how to clean up your PHP-FPM.

Sure, lets focus and talk.

Can you explain this sentence that you are providing in the quote text?
Kindly inform us how do you say that this is NOT a CWP security vulnerability and how do you get to that conclusion. Plese, don't refrain from use "tech mambo jambo", we are all sysadmin here after all