Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - ripieces

Pages: [1] 2 3
2
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

In short as far as I understand it a tiny SQL Injection on any of your websites or legit phpMyAdmin access can be used in many cases to execute arbitrary code with root rights.

It seems there are already patches available for MariaDB / Percona, however none for MySQL yet.

So keep an eye out for the security updates to come and don't forget to install them when they are available!

Do not blame the CWP guys please - this is a general issue that affects any installations that use these database software.

3
Information / Re: What consumes space ???
« on: August 02, 2016, 02:46:21 PM »
That line won't help much probably, because it will print error, warning and parse error messages then, which for old PHP code on i.e. 5.6 can still be a lot (i.e. variable x not defined but used or stuff like that).

What you need to change is the logging of PHP errors and warnings and notices into the error_log.

Try changing log_errors to Off in your php.ini:

Code: [Select]
; Besides displaying errors, PHP can also log errors to locations such as a
; server-specific log, STDERR, or a location specified by the error_log
; directive found below. While errors should not be displayed on productions
; servers they should still be monitored and logging is a great way to do that.
; Default Value: Off
; Development Value: On
; Production Value: On
; http://php.net/log-errors
log_errors = Off ; Original value for me was On

I don't recommend moving to 7.x yet, I'd expect a lot of old code that has problems with 7.x.
Also this would not solve the logging problem.
I don't know if php.ini is preserved or not when switching versions in CWP.

4
Hi


Our postfix mail queue ID is often 13 chars long, however the Manage Mail Queue displays only 12 chars in the Queue ID column, also the "View" button fails due to that issue.

CWP version: 0.9.8.37


With kind regards

5
Information / Re: What consumes space ???
« on: July 31, 2016, 12:08:44 PM »
I don't know anything that would help about the thread you linked :-(

You can use the Linux tail command to view the end of the file
tail fileNameHere

The tail command has an option on how much to display of the end of the file, use
man tail
for more info about the tail command.

Another command that might work with such big files is the less command, again check man / Google on how to navigate with it.

Which log file is exactly causing the problem? access or error log?

If it's error log, it could be that PHP errors go to the error log (that's what new PHP versions might do) and that can get huge very fast if the error is in a loop.

6
Information / Re: What consumes space ???
« on: July 30, 2016, 12:26:00 PM »
Check the size of the logs /usr/local/apache/logs/ (i.e. use ls -la command)
These and other log files (in /var/log/ ) can eat much space.

7
Hi.


Thank you for your reply.

I did not change it, and I can still log-in in phpMyAdmin with the "MySQL root Pasword" that the CWP installer gave back in February, when I installed CWP on the VPS.

What I did change related to MySQL is that I used the CWP upgrade script to 5.5 months ago (but I think that was way before the issue occurred, the issue started exactly on the day where it upgraded to 0.9.8.15 (it's the last email that says 0.9.8.14, but the typical no update something line is missing, meaning it updated exactly on that day as it usually does)) and also I lately upgraded manually to 5.6, which was a bit complicated, but the issue is still the same.


I'd be interested if other users have a similar problem (maybe they don't read the log that closely) or if it's only me.


With kind regards

8
Since 0.9.8.15 (2016.-06-06) there is the following error and warning in the backup script i.e. in the "Daily MySQL Backup starting" section:

Code: [Select]
warning: /var/tmp/rpm-tmp.96Bmm9: Header V4 DSA/SHA1 Signature, key ID cd2efd2a: NOKEY
DBI connect(';;mysql_read_default_group=client','',...) failed: Access denied for user 'root'@'localhost' (using password: NO) at /usr/bin/pt-show-grants line 1338

9
PHP Selector / Thanks
« on: July 22, 2016, 10:11:15 AM »
I just wanted to say thanks for adding the latest PHP (security) fixes and so on to the PHP Version Switcher / PHP Selector!

This is really useful.

:)

10
DNS Manager / FreeDNS Manager registered with wrong email
« on: July 20, 2016, 06:36:05 PM »
Hello.

I registered with ...@gmail instead of ...@gmail.com in the FreeDNS Manager ( http://freedns.centos-webpanel.com/ )

Is that email used anywhere? I am unable to change it :S
I hope it doesn't matter, but I don't know :O

11
For CWP usernames with a dash in them, i.e. user-name, its not possible to create MYSQL databases.

The username input on the Add User page should be sanitized to not allow such problematic usernames if possible, please.

12
[...]
I strongly suggest others consider doing the same. Without going too deep into it - if you value the security of your server - you should not let another day go by with cwp installed. This is serious, folks.

If on the other hand, you don't mind that all of your data can be easily compromised - please stay with cwp - and keep your head in the sand.
[...]

I mainly chose CWP because it has a lot of features I wanted and is "free".

At the time I chose (February) it I wasn't aware that huge parts of the CWP related code are obfuscated, I actually thought it would be open source or something. However it is my fault for not checking better.

I am actually also worried about the security issues that CWP has or had, for example:

- File owning issues (might have been fixed by now)
http://forum.centos-webpanel.com/centos-webpanel-bugs/quotas-stack-up-(new-users-inherits-quotas-of-existing-users)/

- File permission issues (which I fixed my self, I don't really know if it's a CWP bug that others have too or only me):
http://forum.centos-webpanel.com/backup/backup-access-rights-(all-users-can-access)/

- The default GUI does not allow to install a PHP 5.x version that doesn't have security issues, meaning many users will end up with vulnerable installations:
http://forum.centos-webpanel.com/php/php-version-selector-vulnerabilities/


I am thankful for the time and work CWP developers put into CWP, however, at this point in time I cannot recommend CWP to other people due to i.e. the above reasons. Actually as of now I will be recommending the guy I manage the server with to buy a CPANEL license for the next server (if possible in the budget we have).

Maybe CWP developers should get rid of the "free" idea and switch to s.th. else, but then again that might cause a hit to the popularity of the panel. But currently it seems to me as if they don't have the time and resources to keep CWP reasonably safe to use for dumb users like me.

Edit: I am not saying that CWP is bad, but security is a number one concern for me - I mean I rather spend a bit of money on s.th. that is supposed to be secure, than having a free ride that ends up with me being screwed.

13
this is all ok..there was some issue with cwp site overloaded and because of that some of you had this error in the cron email.

 :o Okay, if you say so :)

It seems to work mostly without errors now.
The last interesting thing I got in such a mail was:
Quote
sh: service: command not found

Thank you for your reply, I was afraid that something more dangerous was going on than just the site being overloaded :)

14
(Edited the post above and removed duplicate lines in second log and thus fit everything in a single post.)

15
I am especially worried about the last log email I got, since suddenly something with @gmail.com was popping up as get URL. Maybe someone is trying to hijack the update mechanism? (Hopefully not)

This was the last update that was "fine" this morning:

04:04: Cron <root@XXXX> [ ! -f /etc/cron.hourly/0anacron ] && run-parts /etc/cron.daily

Quote
/etc/cron.daily/cwp:



====================================================
============= CentOS Web Panel Cron ================
====================================================


###########################
Firewall Flush Daily Blocks
###########################


######################
Update Server Packages
######################
Your CWP version: 0.9.8.17

No update needed, your CWP is up to date.
XXXX
Date which backup script is using: 2016-07-07 02:02:05

PHP Notice:  Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7

Notice: Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
PHP Notice:  Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7

Notice: Undefined variable: ssh_check_r_connection in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7

[...]


Then 12 minutes later things started getting strange every 4 hours:

4:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php

Quote



====================================================
============= CentOS Web Panel Cron ================
====================================================


###########################
Firewall Flush Daily Blocks
###########################


######################
Update Server Packages
######################
Your CWP version: 0.9.8.17
PHP Warning:  file_get_contents(http://centos-webpanel.com/webpanel/main.php?app=rc4key&version=0.9.8.17): failed to open stream: HTTP request failed!  in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php(1) : eval()'d code(1) : eval()'d code on line 8
PHP Warning:  Division by zero in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice:  String offset cast occurred in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice:  Uninitialized string offset: 0 in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Warning:  Division by zero in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice:  String offset cast occurred in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
PHP Notice:  Uninitialized string offset: 0 in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 1
[lots of these 3 above ...]
XXX

12:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php

Quote



====================================================
============= CentOS Web Panel Cron ================
====================================================


###########################
Firewall Flush Daily Blocks
###########################


######################
Update Server Packages
######################
Your CWP version: 0.9.8.17

No update needed, your CWP is up to date.
XXX


16:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php

Quote



====================================================
============= CentOS Web Panel Cron ================
====================================================


###########################
Firewall Flush Daily Blocks
###########################


######################
Update Server Packages
######################
Your CWP version: 0.9.8.17

No update needed, your CWP is up to date.
XXX


20:12: Cron <root@XXX> /usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php

Quote

====================================================
============= CentOS Web Panel Cron ================
====================================================


###########################
Firewall Flush Daily Blocks
###########################


######################
Update Server Packages
######################
PHP Warning:  file_get_contents(http://...@gmail.com&version=0.9.8.17): failed to open stream: HTTP request failed! HTTP/1.1 500 Internal Server Error
 in /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php(1) : eval()'d code(1) : eval()'d code on line 7
Your CWP version: 0.9.8.17

No update needed, your CWP is up to date.
XXX

Pages: [1] 2 3