Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - mrgreen

Pages: [1]
1
# CVE-2025-48703 Vulnerability and Implemented Security Measures

Hello CWP Community,

We recently became aware of a security vulnerability identified as **CVE-2025-48703**, affecting the file manager module in CWP. You can find more details on [GitHub](https://github.com/trh4ckn0n/CVE-2025-48703). To help the community, I’d like to share the steps we took to secure our server (running CentOS 8.5.2111 with CWP).

## Implemented Security Measures

1. **Blocking File Manager Access** 
   The vulnerability involves the file manager module. To mitigate this, we added the following `.htaccess` rules to all users’ `public_html` directories:
   ```apache
   <IfModule mod_rewrite.c>
       RewriteEngine On
       RewriteCond %{QUERY_STRING} module=filemanager&acc=findFiles [NC]
       RewriteRule ^ - [F,L]
   </IfModule>
   ```
   We applied these rules across all relevant user directories.

2. **Firewall Blocking for Suspicious Access** 
   We blocked suspicious IP addresses using the firewall:
   ```bash
   firewall-cmd --permanent --add-source=<suspicious-ip> --zone=block
   firewall-cmd --reload
   ```

3. **Fixing User Permissions** 
   To correct file and directory permissions, we used CWP’s permission repair script:
   ```bash
   /usr/local/cwpsrv/htdocs/resources/scripts/fixperms <username>
   ```

4. **CWP Update** 
   We updated CWP to the latest version:
   ```bash
   /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp
   ```

5. **Malware Scanning** 
   We performed scans to detect malicious files:
   ```bash
   /usr/local/cwpsrv/htdocs/resources/scripts/maldet_scan
   rkhunter --check
   ```

6. **PHP File Monitoring System** 
   For our high-traffic server, we developed a script to monitor newly created `.php` files. The script recursively monitors user directories, skips session files (e.g., `sess_*`), and sends hourly email notifications for detected `.php` files. It uses `inotify-tools` and is compatible with CentOS 8. If you’d like the script details, please let me know!

## Additional Recommendations
- **Email Notifications**: We use Postfix for email notifications. If you encounter email issues, check the Postfix logs:
  ```bash
  tail -n 50 /var/log/maillog
  ```
  Alternatively, you can configure Gmail SMTP:
  ```bash
  dnf install -y cyrus-sasl-plain
  nano ~/.mailrc
  ```
  Contents:
  ```
  set from="your-email@gmail.com"
  set smtp=smtp.gmail.com:587
  set smtp-auth-user=your-email@gmail.com
  set smtp-auth-password=your-app-specific-password
  set smtp-auth=login
  set ssl-verify=ignore
  ```

- **inotify Limits**: For recursive monitoring on high-traffic servers, we increased `inotify` limits:
  ```bash
  echo 524288 | sudo tee /proc/sys/fs/inotify/max_user_watches
  sudo sysctl -p
  ```

These measures have secured our server and enabled us to monitor new `.php` files effectively. If you’ve encountered CVE-2025-48703 or implemented additional measures, please share your experiences. Community feedback is invaluable!

Thank you, 
Mr Green

Pages: [1]