Is CWP still maintained?

One more time, apparently I have to be very KISS with you...

The RCE Vulnerability was a PHP RCE VULENABILITY

That affected, CWP, cPanel, aaPanel, and MANY Others that run PHP...

You just singling out and blaming CWP IS mis-information, and not the root cause.

Please go use cPanel or some other control panel.

Guys, the annual Pro license of CWP costs $12 ($1/month). You can consider it as donation because no one can provide high quality support service for such price. So just expect as much as much you pay.

So if you run serious business and care about your product then consider to use the enterprise level control panel like cPanel, DirectAdmin, Plesk, etc. However, cPanel has some mail vulnerabilities/security breaches and their team doesn't care to fix it.

"Every program (control panel) has vulnerabilities, if the program (control panel) doesn't have vulnerabilities then it means no one uses this program or it is useless."

Here is the CVE, and even advised has to secure against it, dated 2024-09-27...

https://www.wiz.io/blog/critical-rce-php-cgi-vulnerability

But @cyberpscae is correct.

dude, no one is blaming CWP for the RCE... that is a PHP thing, exist since PHP exist...

What you don't understand that is NOT *the* vulnerability, but the LACK OF INFORMATION to acknowledge the vulnerability from the CWP side?

CWP had a vulnerability. THAT IS FINE.... if they fix it and disclosure it.
They fix it. Great!
But the disclosure? NO!

Every single one of the panels that you state HAVE disclosure the vulnerability in they software. Because - and again, becase you apparently cannot understand this - THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!

CWP did not disclosure that. They prefer hide it under a "update", that you don't even know what is. Or do you have a changelog for the versions lauch?

Yes, they are responsible for the software they create, but they DID NOT CREATE PHP...

And that's where this vulnerability is located.

You are blaming CWP in your posts

THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!

for something they had NO control over. And hence it wasn't a CWP bug to even 'disclose' or responsible for.

You need to goto the PHP forums and blame them, as they are the ones who a responsible for the software they created.

Tell me where in the below it mentions CWP, or even cPanel, aaPanel, etc...

--

SUBJECT:
Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution

OVERVIEW:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Here is the fix to apply to your php.ini

The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().

This is also blocked by ModSecurity and the OWASP CRS ruleset when correctly configured.

Then, by your logic, we should blame the creators of the binary... because they created this digital thing.
Or we should blame the creators of guns... not who use them and for what...

You don't really see how your logic makes no sense?

Then, by your logic, we should blame the creators of the binary... because they created this digital thing.
Or we should blame the creators of guns... not who use them and for what...

You don't really see how your logic makes no sense?

I'm placing blame where is belongs - with PHP...

The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().

So are all the CVE's of this PHP vulnerability.

Servers that where correctly secured where not affected.

The RCE with CWP wasn't fixed? And by who?
Or now CWP doesn't uses PHP anymore? By your logic then.... this isn't fixable, since is a "PHP Thing"... so....

CWP did not disclosure that. They prefer hide it under a "update", that you don't even know what is. Or do you have a changelog for the versions lauch?

Hire the CWP team, pay them wage and set your rules how they must act. In other case you accept their rules and how they support their product.

If their rules aren't acceptable for you then you need to use another product.

Just because the product is free that doesn't mean that security issues should be hidden.

You are literally saying that is better to have a SECURITY ISSUE, in a control panel that many use in they servers, just because "its free". That is NOT a good answer to give, and not a very good idea to have if you manage any kind of server - even more if you have clients in it.

Just because something is "free" doesn't excuse everything. And a security issue is not something that should be hidden.
Anyone that think other wise doesn't know anything about server management and should not be consider a sysadmin - that is a fact in the industry, not something made up by me...

Are you for real? I know that people that use CWP not always have the biggest knowledge about server management and sysadmin in general - and that IS FINE. But have people say that it is better to have security issues hidden than disclosed... is just ridiculous.

And i read that sentence over and over again: "go to other panel". Do you understand that, if everyone does that, CWP just cease to exist, right? The panel that you are supporting here... you are not helping at all with statements like that.
And is not a first thing: Sentora was one example.

In fact, im helping here more that anyone else that comment: transparency MUST be something that should be in EVERY SINGLE action of a project. That is A FACT. If you hide something like a security issue, just because is Free, you are doing it wrong.


Also, @Starburst, kindle stop providing false articles about WAF protection when you clearly don't know what they do. WAF protection is to protect against potential attack vectors - like exploits. You CANNOT apply WAF rules in the CWP - your guide is to apply to the website in the servers, that is pointless (and you know why? Exactly, because the exploit here WAS IN CWP, not in because of the websites in the servers with CWP).

And i found out this: https://control-webpanel.com/changelog

The last "update" in what was really changed was in version 0.9.8.1188, released in 13/11/2024.
After that there is updates, but no one knows in what.

And this is the OFFICIAL WEBSITE of CWP. Is not me, is not made up. You CANNOT provide any info about what was updated after 13/11/2024 besides numbers that increase in the CWP panel.

If you don't see any issue in this lack of transparency, just because "is free"... oh boy.

CWP isn't maintained by huge number of people. If you want to make CWP more reliable then I recommend you invest more than $1/month into the CWP project or offer some other help for CWP or run your own similar project  You will find it is more expensive than $1/month.

The last "update" in what was really changed was in version 0.9.8.1188, released in 13/11/2024.
After that there is updates, but no one knows in what.

And this is the OFFICIAL WEBSITE of CWP. Is not me, is not made up. You CANNOT provide any info about what was updated after 13/11/2024 besides numbers that increase in the CWP panel.

If you don't like it then why do you use CWP and not cPanel/DirectAdmin/Plesk ? Do you like to pay nothing and get everything ? Seems so...