Author Topic: I think there is a very serious security vulnerability in CWP right now.  (Read 1499 times)

0 Members and 3 Guests are viewing this topic.

Offline
*
Simple solution, keep your servers updated.
And IF you are still running CentOS 7, you can expect to be hacked, running an EOL OS that is public facing.

There was a major Kernel Auth vulnerability that's has been activity exploited.
AlmaLinux released fixed Kernels on 2026-06-08 for AL8 and AL9.

Someone mentioned an old CVE for Roundcube, that only affected Roundcube Webmail versions prior to 1.5.10.
The current version is 1.5.15

Servers using Apache also had a problem, that the update to 2.4.68 fixed

Unfortunately, we cannot do this at this stage because CWP is really terrible and most critical parts constantly have BUGs and do not work properly.

Offline
*
Even this forum is problematic from top to bottom and we try for hours to even write an answer with BUGs, sometimes we succeed, sometimes we don't (Especially when we want to answer with quotes)

Offline
*
As far as I can see, if you install clean AlmaLinux 9 and then install CWP, the CWP installation package still installs the 1.14.X vulnerable version of roundcube.

So even if everything is up to date, you all have the same vulnerability.

Offline
*
The bug mentioned has nothing to do with OS but with CWP.
I understand the frustration:
1) enable modsecurity if disabled
2) create : cat /usr/local/apache/htdocs/webftp_simple/.htaccess
Require all denied

3) search for all .ssh directories ; bear in mind that you need to chatr -i authorized_keys to delete the folders
4) re-make /etc/passwd (all users have /bin/bash) , /etc/shadow(all users have password)
5) check for strange services ( see my other post)
6) check for strange files in /boot

rkhunter and maldet  might give you more hints

Offline
*****
CWP team must release a urgent update that fix all the current services with issues, RoundCube, Nginx, Apache, etc.
This is urgent!
We are paying for something that its full of security issues

And you, as a Sys Admin, your job is to keep them updated, which is simple to do, there are guides all over how to keep the server updated and secure.

There have not been any recent CVE's for CWP via CISA.

If you choose not to do that, then, well ...

Offline
**
Not all users are sysadmin, this type of panel should handle the basic stuff, keep everyting updated it one of the basic features of every panel

Offline
*****
This issue has been resolved on all CWP servers since last week, thank you for reporting it as well.

Offline
**
This issue has been resolved on all CWP servers since last week, thank you for reporting it as well.

All issues? Apache, Ngnix, Roundcube?

CWP can be slow in new features but not slow on security fixes

Offline
*
This issue has been resolved on all CWP servers since last week, thank you for reporting it as well.

I would like to raise again an important concern regarding the CWP installation script.

Currently, the default installation does not provide a modern and secure stack out of the box. After installing AlmaLinux 8 or 9, it is necessary to manually update multiple core components (NGINX, MariaDB, PHP, Apache, etc.) in order to reach current stable and secure versions without known CVEs.

This process is time-consuming and becomes especially difficult when managing multiple servers (20–25 CWP Pro VPS instances), where consistency and automation are essential.

My suggestion is not to remove legacy support, but to improve the installer by offering a modern default stack option, including:

PHP 8.3+ as default
Latest stable versions of NGINX and MariaDB
Roundcube and Apache updated accordingly
While still allowing legacy PHP versions (such as 7.4) to be installed and selected per domain through “Manage WebServers Configuration”

This would significantly improve security, deployment speed, and server standardization, especially for multi-server environments.

I have raised this concern previously on the forum, but I have not received an official response from the CWP team.

I would appreciate an official clarification on whether this improvement is planned or considered.

Offline
*****
That won't work, because not everyone uses Nginx and/or PHP 8.3.

Or maybe to have a question like CyberPanel at the beginning of an install, to ask what webserver and PHP you want.

Sounds like would work best for you, is after you install and update everything, take a snapshot, and then use that to bring up a new VPS.

Offline
*****
Not all users are sysadmin, this type of panel should handle the basic stuff, keep everyting updated it one of the basic features of every panel

If you're not a Sys Admin, I would recommend hiring one to take care of the technical backend.
Or maybe stick with a Managed VPS or Shared Reseller web hosting account, where the backend is handled for you.

No panel keeps everything updated, except maybe cPanel, and from the CVE's I've seen lately, they may not even keep everything updated.

But that's also what's good about CWP, it's let you have some customization.

Offline
*
Another server with CWP version 0.9.8.1231 was just hacked using the same method. Reportedly, this vulnerability has been closed in this version.

However, the security breach still continues!!!!. I don't think the security vulnerability was closed properly, it still persists...

Offline
*
Starburst — I know you are active here on the forum, I’ve been following your replies, and I appreciate the work you are doing.

However, before any workaround solutions are suggested, I want to clarify something important.

A few months ago, I opened a support ticket on the CWP platform regarding this issue. @josemnunez was aware of it and had reviewed my report, but after I continued to insist on the same concern, the ticket was closed without any real resolution.

If this is a financial or resource issue, then that is fine — increase the license price, even double it if necessary. I personally would agree to that.

But what should not continue is the current approach based on patchwork fixes and temporary solutions for core issues in CWP.

At this point, I would like to restate the main issue clearly:

I would like to clarify and consolidate my previous points regarding the CWP installation process and the default stack on AlmaLinux 8/9.

This is not about choosing between Nginx, Apache, or any specific web server. The issue is the default state and quality of a fresh CWP installation.

At the moment, a clean installation of CWP on AlmaLinux 8/9 results in an outdated and inconsistent software stack, including older versions of core components such as:

MariaDB
Apache
Nginx (if selected)
PHP (non-modern default setup)
phpMyAdmin
Roundcube
Postfix
system packages related to web and security that are not aligned with current security standards

This means that immediately after installation, we are forced to manually update multiple critical components just to reach a modern, secure, and stable state. As you already know, this update process is not always straightforward and can sometimes introduce issues based on forum-provided solutions, which is not ideal for production environments.

What I am suggesting is a modern secure baseline for new installations:

On AlmaLinux 8/9, CWP should install by default a modern and secure stack:
PHP 8.3+ as system default
latest stable MariaDB
latest stable Apache
latest stable Roundcube
phpMyAdmin updated according to current security standards
If Nginx is selected during installation, it should also be installed in its latest stable version, not an outdated one.

In addition, there is another important issue:

On AlmaLinux 9, CWP installation requires additional packages to be installed manually before running the installation script. However, this is not clearly documented in the official installation guide. These requirements and workarounds were originally published on the forum during the Beta stage. Since AlmaLinux 9 is now officially supported, these prerequisites should either be integrated into the installation script or documented officially.

A fresh installation should not require users to search forums for known prerequisites or fixes.

At some point, the installation process and default stack need to be properly modernized instead of constantly relying on temporary solutions.

Offline
*
ghoste - I agree with what you say

Offline
**
Not all users are sysadmin, this type of panel should handle the basic stuff, keep everyting updated it one of the basic features of every panel

If you're not a Sys Admin, I would recommend hiring one to take care of the technical backend.
Or maybe stick with a Managed VPS or Shared Reseller web hosting account, where the backend is handled for you.

No panel keeps everything updated, except maybe cPanel, and from the CVE's I've seen lately, they may not even keep everything updated.

But that's also what's good about CWP, it's let you have some customization.

CWP should handle the basics. The default installation is several versions behind the current ones.

While we can do manual updates, if CWP later updates its default version, it can break things because we are no longer running a default CWP installation.