Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
16
CSF Firewall / LFD does not prevent dovecot login attempts
« on: June 28, 2016, 01:17:30 PM »
I just wanted to note that I noticed that LFD does not track/block login attempts to dovecot.
Not sure if this is normal / known / intended or not.
Not sure if this is normal / known / intended or not.
17
E-Mail / Re: email error when sent to multiple recipients.
« on: June 16, 2016, 12:38:42 PM »
This really should be fixed in CWP if possible.
I rebuild postfix yesterday and ran into the same problem after that.
postconf -e dovecot_destination_recipient_limit=1
and restarting postifx fixed the problem for me too.
I rebuild postfix yesterday and ran into the same problem after that.
postconf -e dovecot_destination_recipient_limit=1
and restarting postifx fixed the problem for me too.
18
E-Mail / Re: New email account not working in 0.9.8.6
« on: June 14, 2016, 06:32:16 AM »This issue is only when you run MYSQL 5.6 on the server.
Fix is coming soon
I am on
MySQL version: 5.5.47
CWP version: 0.9.8.15
and have the same problem.
Workaround:
You can setup aliases for the ones you don't want going into the catchall mailbox , and deliver the mail to their own mailbox or send them off to another domain.
19
Backup / backup access rights (all users can access)
« on: June 06, 2016, 08:34:17 AM »
Hello.
I am not sure if this problem only affects me or if it's a general problem:
The backup folder and the files created in the backup folder are owned by root:root, however they are readable for all other users.
I did
chmod -R o-rx /backup
now to fix this myself.
I think if possible this should be changed in CWP, since if one user is compromised the user will be able to read all the files of the other users from the backup folder, which includes database settings / passwords and so on.
I am not sure if this problem only affects me or if it's a general problem:
The backup folder and the files created in the backup folder are owned by root:root, however they are readable for all other users.
I did
chmod -R o-rx /backup
now to fix this myself.
I think if possible this should be changed in CWP, since if one user is compromised the user will be able to read all the files of the other users from the backup folder, which includes database settings / passwords and so on.
20
PHP / Re: PHP Version Selector / Vulnerabilities ?
« on: May 22, 2016, 06:16:14 PM »
So what's the solution to these severe security issues in those PHP versions offered in the PHP Version Selector?
Are we supposed to compile and install custom PHP versions on CWP?
If so, are there any existing scripts / guides?
I'd have expected a CWP update including a notice that reminds people to update their PHP, since this probably won't happen on it's own.
But I understand you guys are busy and CWP is free and we cannot simply request such things :-(
But these security issues in i.e. the 5.6.14 version offered are really havoc for those that have image/file uploads enabled for users they can't trust (i.e. public image/file uploads).
I am not sure if the 7.x version in the selector is affected, since I am not sure what will be installed there.
Are we supposed to compile and install custom PHP versions on CWP?
If so, are there any existing scripts / guides?
I'd have expected a CWP update including a notice that reminds people to update their PHP, since this probably won't happen on it's own.
But I understand you guys are busy and CWP is free and we cannot simply request such things :-(
But these security issues in i.e. the 5.6.14 version offered are really havoc for those that have image/file uploads enabled for users they can't trust (i.e. public image/file uploads).
I am not sure if the 7.x version in the selector is affected, since I am not sure what will be installed there.
21
PHP / Re: Install ImageMagick or GD ?
« on: May 10, 2016, 02:22:24 PM »
Be sure to update your ImageMagic if users can upload images on your servers:
https://www.cvedetails.com/cve/CVE-2016-3714/
https://access.redhat.com/security/vulnerabilities/2296071
https://www.cvedetails.com/cve/CVE-2016-3714/
https://access.redhat.com/security/vulnerabilities/2296071
22
PHP / PHP Version Selector / Vulnerabilities ?
« on: May 10, 2016, 02:05:54 PM »
Well when I installed CWP in February I ended up with PHP 5.4.45 for now.
I am planning to upgrade to at least 5.6, because only 5.5 / 5.6 / 7.0 are supported by the PHP developers nowadays it seems.
However the PHP Version switcher offers only 5.6.14 in the drop down.
Is that the real version to be installed? I'd be very afraid to install that, because it has a known vulnerability in the gd library:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
Which has been fixed in PHP 5.6.21: http://php.net/ChangeLog-5.php#5.6.21
Also with what version would I end up with the 7.x selector, because there is this _additionally_ to the problem above:
http://seclists.org/fulldisclosure/2016/May/0
Which has been fixed in PHP 7.0.6: http://php.net/ChangeLog-7.php#7.0.6
I am planning to upgrade to at least 5.6, because only 5.5 / 5.6 / 7.0 are supported by the PHP developers nowadays it seems.
However the PHP Version switcher offers only 5.6.14 in the drop down.
Is that the real version to be installed? I'd be very afraid to install that, because it has a known vulnerability in the gd library:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
Which has been fixed in PHP 5.6.21: http://php.net/ChangeLog-5.php#5.6.21
Also with what version would I end up with the 7.x selector, because there is this _additionally_ to the problem above:
http://seclists.org/fulldisclosure/2016/May/0
Which has been fixed in PHP 7.0.6: http://php.net/ChangeLog-7.php#7.0.6
23
Updates / Re: Error Message On Update
« on: May 08, 2016, 04:21:58 PM »
Several people have this problem:
http://forum.centos-webpanel.com/backup/undefined-variable-in-cron_backup-php-%28obfuscated-code%29/
http://forum.centos-webpanel.com/backup/undefined-variable-in-cron_backup-php-%28obfuscated-code%29/
24
Backup / undefined variable in cron_backup.php (obfuscated code)
« on: April 19, 2016, 11:50:57 AM »
Hello,
I have had this problem from the beginning, after freshly installing CWP 0.9.8.11 in Februray or so.
Here is a more recent example for the .11 version:
When it updated to .12 the error message changed a bit:
There are several forum threads about this problem, but they all hve no solution:
http://forum.centos-webpanel.com/centos-webpanel-bugs/cron-error-undefined-variable/
http://forum.centos-webpanel.com/backup/notice-undefined-variable-in-cwp-daily-backup-cron-1566/
http://forum.centos-webpanel.com/backup/backup-issue/
Now today I wanted to investigate the problem myself, but in all files I end up with obfuscated code similar to this one in cron_backup-php:
The last time I saw this eval obfuscation technique at use it was in a hi-jacked WordPress installation - Or is that a nice way of reminding me that CentOS WebPanel is not open source?
Any ideas?
In the Backup Configuration I have these settings:
Manage Backups:
- Enable Backup: checked
- Location: /backup
- Daily, Weekly, Monthly, Mysql: checked
- Backup All users not checked
Remove Backup Settings:
- Never changed anything here, nothing is checked and only Temp Folder /tmp is set
I have had this problem from the beginning, after freshly installing CWP 0.9.8.11 in Februray or so.
Here is a more recent example for the .11 version:
Code: [Select]
######################
Update Server Packages
######################
Your CWP version: 0.9.8.11
No update needed, your CWP is up to date.
85.214.143.24
Date which backup script is using: 2016-04-10 02:02:05
PHP Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
PHP Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: sqe280g9LS16ak in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7When it updated to .12 the error message changed a bit:
Code: [Select]
######################
Update Server Packages
######################
Your CWP version: 0.9.8.12
No update needed, your CWP is up to date.
85.214.143.24
Date which backup script is using: 2016-04-19 02:02:05
PHP Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
PHP Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7
Notice: Undefined variable: VJg44cgmkBOnFH in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php(1) : eval()'d code(1) : eval()'d code on line 7There are several forum threads about this problem, but they all hve no solution:
http://forum.centos-webpanel.com/centos-webpanel-bugs/cron-error-undefined-variable/
http://forum.centos-webpanel.com/backup/notice-undefined-variable-in-cwp-daily-backup-cron-1566/
http://forum.centos-webpanel.com/backup/backup-issue/
Now today I wanted to investigate the problem myself, but in all files I end up with obfuscated code similar to this one in cron_backup-php:
Code: [Select]
<?php /* Reverse engineering of this file is strictly prohibited. File protected by copyright law and provided under license. */ if(!function_exists("agF1gTdKEBPd6CaJ")) { function agF1gTdKEBPd6CaJ($ekV4gb3DGH29YotI) {
// [...]
} }eval(agF1gTdKEBPd6CaJ('[...]')); ?>The last time I saw this eval obfuscation technique at use it was in a hi-jacked WordPress installation - Or is that a nice way of reminding me that CentOS WebPanel is not open source?
Any ideas?In the Backup Configuration I have these settings:
Manage Backups:
- Enable Backup: checked
- Location: /backup
- Daily, Weekly, Monthly, Mysql: checked
- Backup All users not checked
Remove Backup Settings:
- Never changed anything here, nothing is checked and only Temp Folder /tmp is set
25
Aplications / Re: Problems installing prestashop and joomla ?!?
« on: February 24, 2016, 12:53:25 PM »
Try to temporarily disable CSF Firewall:
Security ->CSF FireWall -> Firewall disable.
If it works then it means there is a problem with your FireWall configuration blocking the SQL query to the localhost.
Please don't forget to enable it afterwards again:
Security ->CSF FireWall -> Firewall enable
Security ->CSF FireWall -> Firewall disable.
If it works then it means there is a problem with your FireWall configuration blocking the SQL query to the localhost.
Please don't forget to enable it afterwards again:
Security ->CSF FireWall -> Firewall enable
26
CentOS-WebPanel Bugs / Re: Disk space in GUI user not work
« on: February 24, 2016, 12:40:56 PM »
Might be a similar problem like I had:
Serious file owning issues (CWP Users own installation files)
They planned to fix that, but you might be still affected by that problem.
Basically use
repquota -a -s
to see the quota.
And use
find / --user <username> | less
To see which files the user owns.
If it's a normal CWP user that owns installation files that root should own instead, you need to fix those directories / files with
chown (and maybe chmod too).
Both commands have a option for recursion (-R), but read the manual in case you don't know them already.
Basically I changed the ownership to root:root (so user and group is root) for the files that were not in /home/<username>
and then fixed permissions with chmod as I thought it would be approiate (o-rwx).
Serious file owning issues (CWP Users own installation files)
They planned to fix that, but you might be still affected by that problem.
Basically use
repquota -a -s
to see the quota.
And use
find / --user <username> | less
To see which files the user owns.
If it's a normal CWP user that owns installation files that root should own instead, you need to fix those directories / files with
chown (and maybe chmod too).
Both commands have a option for recursion (-R), but read the manual in case you don't know them already.
Basically I changed the ownership to root:root (so user and group is root) for the files that were not in /home/<username>
and then fixed permissions with chmod as I thought it would be approiate (o-rwx).
27
MySQL / Re: problems with databases
« on: February 22, 2016, 04:34:05 PM »
You can ignore the "/home/venci/public_html/ilogistics.eu/favicon.ico" related error, it's just that that domain doesn't have a favourite icon installed and Apache gives that error every time someone requests a file that is not there (most browsers search for favicon.ico).
About the other error: Sadly the errror message is not very helpful, but did you set the database user and database and database password in the Prestashop install correctly? I am guessing it has problems connecting to your MYSQL database. Also as host you should set
localhost
!
About the other error: Sadly the errror message is not very helpful, but did you set the database user and database and database password in the Prestashop install correctly? I am guessing it has problems connecting to your MYSQL database. Also as host you should set
localhost
!
28
CentOS-WebPanel Bugs / Re: [Enhancement] Delete backups directory when you delete a user account
« on: February 22, 2016, 01:55:32 PM »
I do not agree with this, backups should be backups and not be deleted early.
29
CentOS-WebPanel Bugs / Re: Serious file owning issues (CWP Users own installation files)
« on: February 18, 2016, 12:15:07 PM »
Thank you very much for your reply
I am not sure of this will save you some time, but maybe you can just simply use the tar options when extracting instead of re-packaging them:
--no-same-owner
extract files as yourself (default for ordinary users)
--no-same-permissions
apply the user's umask when extracting permissions from the archive (default for ordinary users)
Source: http://linux.die.net/man/1/tar
Maybe that is sufficient already (accroding to the manual, these are default, except for root).
I am not sure of this will save you some time, but maybe you can just simply use the tar options when extracting instead of re-packaging them:
--no-same-owner
extract files as yourself (default for ordinary users)
--no-same-permissions
apply the user's umask when extracting permissions from the archive (default for ordinary users)
Source: http://linux.die.net/man/1/tar
Maybe that is sufficient already (accroding to the manual, these are default, except for root).
30
CentOS-WebPanel Bugs / Re: Serious file owning issues (CWP Users own installation files)
« on: February 17, 2016, 12:44:32 PM »
I just found this post:
http://forum.centos-webpanel.com/centos-configuration/how-to-setup-user-quotas/msg5765/#msg5765
And the user that posted his repquota there has these strange users too.
I am not sure, but maybe it's a problem with the way the tar.gz source files are untared? Meaning it restores the original user ID, instead of using the root or whatever user should be used!?
http://forum.centos-webpanel.com/centos-configuration/how-to-setup-user-quotas/msg5765/#msg5765
And the user that posted his repquota there has these strange users too.
I am not sure, but maybe it's a problem with the way the tar.gz source files are untared? Meaning it restores the original user ID, instead of using the root or whatever user should be used!?
