Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
1
Updates / Roundcube might need an update for security reasons
« on: December 07, 2016, 01:45:29 PM »
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
To the problems above there is no CVE assigned yet it seems:
http://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.html
CWP currently has Roundcube RELEASE 0.8.4
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
To the problems above there is no CVE assigned yet it seems:
http://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.html
CWP currently has Roundcube RELEASE 0.8.4
2
MySQL / Severe MySQL / MariaDB / Percona security issue (remote root code execution)
« on: September 13, 2016, 11:27:18 AM »
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
In short as far as I understand it a tiny SQL Injection on any of your websites or legit phpMyAdmin access can be used in many cases to execute arbitrary code with root rights.
It seems there are already patches available for MariaDB / Percona, however none for MySQL yet.
So keep an eye out for the security updates to come and don't forget to install them when they are available!
Do not blame the CWP guys please - this is a general issue that affects any installations that use these database software.
In short as far as I understand it a tiny SQL Injection on any of your websites or legit phpMyAdmin access can be used in many cases to execute arbitrary code with root rights.
It seems there are already patches available for MariaDB / Percona, however none for MySQL yet.
So keep an eye out for the security updates to come and don't forget to install them when they are available!
Do not blame the CWP guys please - this is a general issue that affects any installations that use these database software.
3
CentOS-WebPanel Bugs / Manage Mail Queue misses last letter of the queue ID thus view fails
« on: August 02, 2016, 12:46:30 PM »
Hi
Our postfix mail queue ID is often 13 chars long, however the Manage Mail Queue displays only 12 chars in the Queue ID column, also the "View" button fails due to that issue.
CWP version: 0.9.8.37
With kind regards
Our postfix mail queue ID is often 13 chars long, however the Manage Mail Queue displays only 12 chars in the Queue ID column, also the "View" button fails due to that issue.
CWP version: 0.9.8.37
With kind regards
4
CentOS-WebPanel Bugs / Error at end of MYSQL backup script since 0.9.8.15 (Access denied for user root)
« on: July 23, 2016, 10:44:39 AM »
Since 0.9.8.15 (2016.-06-06) there is the following error and warning in the backup script i.e. in the "Daily MySQL Backup starting" section:
Code: [Select]
warning: /var/tmp/rpm-tmp.96Bmm9: Header V4 DSA/SHA1 Signature, key ID cd2efd2a: NOKEY
DBI connect(';;mysql_read_default_group=client','',...) failed: Access denied for user 'root'@'localhost' (using password: NO) at /usr/bin/pt-show-grants line 1338
5
PHP Selector / Thanks
« on: July 22, 2016, 10:11:15 AM »
I just wanted to say thanks for adding the latest PHP (security) fixes and so on to the PHP Version Switcher / PHP Selector!
This is really useful.
This is really useful.
6
DNS Manager / FreeDNS Manager registered with wrong email
« on: July 20, 2016, 06:36:05 PM »
Hello.
I registered with ...@gmail instead of ...@gmail.com in the FreeDNS Manager ( http://freedns.centos-webpanel.com/ )
Is that email used anywhere? I am unable to change it :S
I hope it doesn't matter, but I don't know :O
I registered with ...@gmail instead of ...@gmail.com in the FreeDNS Manager ( http://freedns.centos-webpanel.com/ )
Is that email used anywhere? I am unable to change it :S
I hope it doesn't matter, but I don't know :O
7
CentOS-WebPanel Bugs / Usernames with a dash won't allow MYSQL databases to be created
« on: July 18, 2016, 05:04:14 PM »
For CWP usernames with a dash in them, i.e. user-name, its not possible to create MYSQL databases.
The username input on the Add User page should be sanitized to not allow such problematic usernames if possible, please.
The username input on the Add User page should be sanitized to not allow such problematic usernames if possible, please.
8
Updates / Very Strange Update beahviour (every 4 hours), what is going on? (Worried)
« on: July 07, 2016, 07:29:54 PM »
I am especially worried about the last log email I got, since suddenly something with @gmail.com was popping up as get URL. Maybe someone is trying to hijack the update mechanism? (Hopefully not)
This was the last update that was "fine" this morning:
04:04: Cron <root@XXXX> [ ! -f /etc/cron.hourly/0anacron ] && run-parts /etc/cron.daily
Then 12 minutes later things started getting strange every 4 hours:
4:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
12:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
16:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
20:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
This was the last update that was "fine" this morning:
04:04: Cron <root@XXXX> [ ! -f /etc/cron.hourly/0anacron ] && run-parts /etc/cron.daily
Quote
/etc/cron.daily/cwp:
====================================================
============= CentOS Web Panel Cron ================
====================================================
###########################
Firewall Flush Daily Blocks
###########################
######################
Update Server Packages
######################
Your CWP version: 0.9.8.17
No update needed, your CWP is up to date.
XXXX
Date which backup script is using: 2016-07-07 02:02:05
PHP Notice: Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
PHP Notice: Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
[...]
Then 12 minutes later things started getting strange every 4 hours:
4:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
Quote
====================================================
============= CentOS Web Panel Cron ================
====================================================
###########################
Firewall Flush Daily Blocks
###########################
######################
Update Server Packages
######################
Your CWP version: 0.9.8.17
PHP Warning: file_get_contents(http://centos-webpanel.com/webpanel/main.php?app=rc4key&version=0.9.8.17): failed to open stream: HTTP request failed! in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php(1) : eval()'d code(1) : eval()'d code on line 8
PHP Warning: Division by zero in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice: String offset cast occurred in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice: Uninitialized string offset: 0 in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Warning: Division by zero in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice: String offset cast occurred in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice: Uninitialized string offset: 0 in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
[lots of these 3 above ...]
XXX
12:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
Quote
====================================================
============= CentOS Web Panel Cron ================
====================================================
###########################
Firewall Flush Daily Blocks
###########################
######################
Update Server Packages
######################
Your CWP version: 0.9.8.17
No update needed, your CWP is up to date.
XXX
16:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
Quote
====================================================
============= CentOS Web Panel Cron ================
====================================================
###########################
Firewall Flush Daily Blocks
###########################
######################
Update Server Packages
######################
Your CWP version: 0.9.8.17
No update needed, your CWP is up to date.
XXX
20:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php
Quote
====================================================
============= CentOS Web Panel Cron ================
====================================================
###########################
Firewall Flush Daily Blocks
###########################
######################
Update Server Packages
######################
PHP Warning: file_get_contents(http://...@gmail.com&version=0.9.8.17): failed to open stream: HTTP request failed! HTTP/1.1 500 Internal Server Error
in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php(1) : eval()'d code(1) : eval()'d code on line 7
Your CWP version: 0.9.8.17
No update needed, your CWP is up to date.
XXX
9
CSF Firewall / LFD does not prevent dovecot login attempts
« on: June 28, 2016, 01:17:30 PM »
I just wanted to note that I noticed that LFD does not track/block login attempts to dovecot.
Not sure if this is normal / known / intended or not.
Not sure if this is normal / known / intended or not.
10
Backup / backup access rights (all users can access)
« on: June 06, 2016, 08:34:17 AM »
Hello.
I am not sure if this problem only affects me or if it's a general problem:
The backup folder and the files created in the backup folder are owned by root:root, however they are readable for all other users.
I did
chmod -R o-rx /backup
now to fix this myself.
I think if possible this should be changed in CWP, since if one user is compromised the user will be able to read all the files of the other users from the backup folder, which includes database settings / passwords and so on.
I am not sure if this problem only affects me or if it's a general problem:
The backup folder and the files created in the backup folder are owned by root:root, however they are readable for all other users.
I did
chmod -R o-rx /backup
now to fix this myself.
I think if possible this should be changed in CWP, since if one user is compromised the user will be able to read all the files of the other users from the backup folder, which includes database settings / passwords and so on.
11
PHP / PHP Version Selector / Vulnerabilities ?
« on: May 10, 2016, 02:05:54 PM »
Well when I installed CWP in February I ended up with PHP 5.4.45 for now.
I am planning to upgrade to at least 5.6, because only 5.5 / 5.6 / 7.0 are supported by the PHP developers nowadays it seems.
However the PHP Version switcher offers only 5.6.14 in the drop down.
Is that the real version to be installed? I'd be very afraid to install that, because it has a known vulnerability in the gd library:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
Which has been fixed in PHP 5.6.21: http://php.net/ChangeLog-5.php#5.6.21
Also with what version would I end up with the 7.x selector, because there is this _additionally_ to the problem above:
http://seclists.org/fulldisclosure/2016/May/0
Which has been fixed in PHP 7.0.6: http://php.net/ChangeLog-7.php#7.0.6
I am planning to upgrade to at least 5.6, because only 5.5 / 5.6 / 7.0 are supported by the PHP developers nowadays it seems.
However the PHP Version switcher offers only 5.6.14 in the drop down.
Is that the real version to be installed? I'd be very afraid to install that, because it has a known vulnerability in the gd library:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
Which has been fixed in PHP 5.6.21: http://php.net/ChangeLog-5.php#5.6.21
Also with what version would I end up with the 7.x selector, because there is this _additionally_ to the problem above:
http://seclists.org/fulldisclosure/2016/May/0
Which has been fixed in PHP 7.0.6: http://php.net/ChangeLog-7.php#7.0.6
12
Backup / undefined variable in cron_backup.php (obfuscated code)
« on: April 19, 2016, 11:50:57 AM »
Hello,
I have had this problem from the beginning, after freshly installing CWP 0.9.8.11 in Februray or so.
Here is a more recent example for the .11 version:
When it updated to .12 the error message changed a bit:
There are several forum threads about this problem, but they all hve no solution:
http://forum.centos-webpanel.com/centos-webpanel-bugs/cron-error-undefined-variable/
http://forum.centos-webpanel.com/backup/notice-undefined-variable-in-cwp-daily-backup-cron-1566/
http://forum.centos-webpanel.com/backup/backup-issue/
Now today I wanted to investigate the problem myself, but in all files I end up with obfuscated code similar to this one in cron_backup-php:
The last time I saw this eval obfuscation technique at use it was in a hi-jacked WordPress installation - Or is that a nice way of reminding me that CentOS WebPanel is not open source?
Any ideas?
In the Backup Configuration I have these settings:
Manage Backups:
- Enable Backup: checked
- Location: /backup
- Daily, Weekly, Monthly, Mysql: checked
- Backup All users not checked
Remove Backup Settings:
- Never changed anything here, nothing is checked and only Temp Folder /tmp is set
I have had this problem from the beginning, after freshly installing CWP 0.9.8.11 in Februray or so.
Here is a more recent example for the .11 version:
Code: [Select]
######################
Update Server Packages
######################
Your CWP version: 0.9.8.11
No update needed, your CWP is up to date.
85.214.143.24
Date which backup script is using: 2016-04-10 02:02:05
PHP Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
PHP Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7When it updated to .12 the error message changed a bit:
Code: [Select]
######################
Update Server Packages
######################
Your CWP version: 0.9.8.12
No update needed, your CWP is up to date.
85.214.143.24
Date which backup script is using: 2016-04-19 02:02:05
PHP Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
PHP Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7There are several forum threads about this problem, but they all hve no solution:
http://forum.centos-webpanel.com/centos-webpanel-bugs/cron-error-undefined-variable/
http://forum.centos-webpanel.com/backup/notice-undefined-variable-in-cwp-daily-backup-cron-1566/
http://forum.centos-webpanel.com/backup/backup-issue/
Now today I wanted to investigate the problem myself, but in all files I end up with obfuscated code similar to this one in cron_backup-php:
Code: [Select]
<?php /* Reverse engineering of this file is strictly prohibited. File protected by copyright law and provided under license. */ if(!function_exists("agF1gTdKEBPd6CaJ")) { function agF1gTdKEBPd6CaJ($ekV4gb3DGH29YotI) {
// [...]
} }eval(agF1gTdKEBPd6CaJ('[...]')); ?>The last time I saw this eval obfuscation technique at use it was in a hi-jacked WordPress installation - Or is that a nice way of reminding me that CentOS WebPanel is not open source?
Any ideas?In the Backup Configuration I have these settings:
Manage Backups:
- Enable Backup: checked
- Location: /backup
- Daily, Weekly, Monthly, Mysql: checked
- Backup All users not checked
Remove Backup Settings:
- Never changed anything here, nothing is checked and only Temp Folder /tmp is set
13
CentOS-WebPanel Bugs / Serious file owning issues (CWP Users own installation files)
« on: February 11, 2016, 06:03:16 AM »
Hello, all my users share the same "default" package.
I created the user amira first and uploaded over 40 MB
Then I created vgs, which atm should be empty.
Then I creaded srdent, which should be empty too atm.
How is this even possible :O
The only awkward things I did is
- edited the package after and "(Update quota for all users using this package, also disables inode limits !)"
- entered CWP users using the root pw
Edit: I am using CWP version: 0.9.8.11
Code: [Select]
*** Report for user quotas on device /dev/vzfs
Block grace time: 00:00; Inode grace time: 00:00
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
[...]
amira -- 111M 1000M 1000M 8070 0 0
vgs -- 134M 1000M 1000M 16303 0 0
srdent -- 137M 1000M 1000M 16492 0 0
[...]I created the user amira first and uploaded over 40 MB
Then I created vgs, which atm should be empty.
Then I creaded srdent, which should be empty too atm.
How is this even possible :O
The only awkward things I did is
- edited the package after and "(Update quota for all users using this package, also disables inode limits !)"
- entered CWP users using the root pw
Edit: I am using CWP version: 0.9.8.11
14
CentOS-WebPanel GUI / Bandwith quota is unclear
« on: February 10, 2016, 12:05:47 PM »
If I edit a package it says
Bandwidth: 10000 MB
by default.
Maybe it's obvious for Linux savvy users what this quota is, but for me it's not:
- Is it the general I/O bandwith in MB/s? (I think it's that, but then it should read I/O Bandwith and MB/s (maybe add an info button that tells that when hovered with the mouse behind for stupid users like me.)
- Is it a montly traffic limit?
- S.th. else?
I'd be thrilled, if you could tell me where the script related to that setting is, so I could learn more about Linux by reading it's commands, but it's not really important :-)
Bandwidth: 10000 MB
by default.
Maybe it's obvious for Linux savvy users what this quota is, but for me it's not:
- Is it the general I/O bandwith in MB/s? (I think it's that, but then it should read I/O Bandwith and MB/s (maybe add an info button that tells that when hovered with the mouse behind for stupid users like me.)
- Is it a montly traffic limit?
- S.th. else?
I'd be thrilled, if you could tell me where the script related to that setting is, so I could learn more about Linux by reading it's commands, but it's not really important :-)
15
CentOS-WebPanel Bugs / [not important] Small typo in standard vhosts template
« on: February 10, 2016, 11:58:39 AM »
In the Apache Domain Virtual Host tpl:
The line
Should probably be
But this doesn't seem to affect anything, just s.th. that could be updated for consistency :]
The line
Code: [Select]
ScriptAlias /cgi-bin/ "%homedir%/%username%/public_html/cgi-bin/Should probably be
Code: [Select]
ScriptAlias /cgi-bin/ "%homedir%/%username%/public_html/cgi-bin/"But this doesn't seem to affect anything, just s.th. that could be updated for consistency :]
Pages: [1] 2
