Recent Posts

11

Updates / Re: Roundcube vulnerability

« Last post by cyberspace on February 21, 2026, 10:40:13 PM »

Hi guys,

I've developed a script to update Roundcube for CWP to the latest LTS version.

What does the script do ?

1. I parses the page:
https://roundcube.net/download/
to identify the latest LTS version of Roundcub and URL to .tag.gz file.
2. Compares the versions (installed and available at the website)
3. If the installed version is older than available then:

3a. Makes backup of the currently installed Roundcube
3b. Downloads the .tar.gz file from the website
3c. Checks the checksum to make sure the downloaded file isn't corrupted
3d. Updates Roundcube
3e. Sends a notification to the user (address is specified in the script)

If the versions are the same or installed version is never then just sends an simple notification like "no update needed".

Code: [Select]

#!/usr/bin/env bash

####################################################################################
#                                                                                  #
#  The MIT License (MIT)                                                           #
#                                                                                  #
#  Copyright (c) 2026 BeinHost.com                                                 #
#                                                                                  #
#  Permission is hereby granted, free of charge, to any person obtaining a copy    #
#  of this software and associated documentation files (the "Software"), to deal   #
#  in the Software without restriction, including without limitation the rights    #
#  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell       #
#  copies of the Software, and to permit persons to whom the Software is           #
#  furnished to do so, subject to the following conditions:                        #
#                                                                                  #
#  The above copyright notice and this permission notice shall be included in all  #
#  copies or substantial portions of the Software.                                 #
#                                                                                  #
#  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR      #
#  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,        #
#  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE     #
#  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER          #
#  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,   #
#  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE   #
#  SOFTWARE.                                                                       #
#                                                                                  #
####################################################################################

########################################
# CONFIG
########################################

BASE_DIR="/usr/local/cwpsrv/var/services"
INSTALL_DIR="$BASE_DIR/roundcube"
PAGE_URL="https://roundcube.net/download/"
OWNER="cwpsvc:cwpsvc"
EMAIL="support@beinhost.com"
SUBJECT_PREFIX="[Roundcube Updater]"

cd "$BASE_DIR"

########################################
# Send notofication
########################################

send_email() {
    local subject="$1"
    local body="$2"

    # use mail command
    echo -e "$body" | mail -s "$SUBJECT_PREFIX $subject" "$EMAIL"
}

########################################
# Detect installed version
########################################

INI_FILE="$INSTALL_DIR/program/include/iniset.php"

if [[ ! -f "$INI_FILE" ]]; then
    echo "Cannot detect installed version (iniset.php missing)."
    exit 2
fi

installed_version=$(grep -oE "RCMAIL_VERSION',[[:space:]]*'[^']+'" \
    "$INI_FILE" | sed -E "s/.*'([^']+)'.*/\1/")
installed_version=$(echo "$installed_version" | tr -d '\r\n[:space:]')

echo "Installed version: $installed_version"

########################################
# Detect latest LTS version + checksum
########################################

lts_block=$(curl -fsSL "$PAGE_URL" \
  | awk '/<h2 id="lts">/,/<\/table>/')

download_url=$(echo "$lts_block" \
  | grep -oE 'https://[^"]+-complete\.tar\.gz' \
  | head -n1)

latest_version=$(echo "$download_url" \
  | sed -E 's/.*roundcubemail-([0-9]+\.[0-9]+\.[0-9]+)-complete\.tar\.gz/\1/')
latest_version=$(echo "$latest_version" | tr -d '\r\n[:space:]')

sha256_expected=$(echo "$lts_block" \
  | grep -oE '[a-f0-9]{64}' \
  | head -n1)

if [[ -z "$download_url" || -z "$latest_version" || -z "$sha256_expected" ]]; then
    echo "Failed to detect latest LTS release."
    send_email "Update failed" "Server: `hostname`\nFailed to detect latest LTS release.\nTime: $(date)"
    exit 3
fi

########################################
# Compare versions
########################################

version_gt() {
    [ "$1" = "$2" ] && return 1

    local IFS=.
    local i ver1=($1) ver2=($2)

    for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)); do ver1[i]=0; done
    for ((i=${#ver2[@]}; i<${#ver1[@]}; i++)); do ver2[i]=0; done

    for ((i=0; i<${#ver1[@]}; i++)); do
        if ((10#${ver1[i]} > 10#${ver2[i]})); then return 0; fi
        if ((10#${ver1[i]} < 10#${ver2[i]})); then return 1; fi
    done

    return 1
}

#echo "Installed: [$installed_version]"
#echo "Latest:    [$latest_version]"

if version_gt "$latest_version" "$installed_version"; then
    echo "Update available."
    send_email "Update successful" "Server: `hostname`\nStatus: Roundcube updated successfully!\nPrevious version: $installed_version\nNew version: $latest_version\nBackup directory: $backup_dir\nTime: $(date)"

elif version_gt "$installed_version" "$latest_version"; then
    echo "Installed version is newer than LTS."
    send_email "Installed version newer than LTS" "Server: `hostname`\nStatus: Installed Roundcube version ($installed_version) is newer than latest LTS ($latest_version).\nNo update performed.\nTime: $(date)"
else
    echo "Latest LTS version:" "$latest_version"
    echo "Already up to date."
    send_email "No update needed" "Server: `hostname`\nStatus: Roundcube is already up to date.\nInstalled version: $installed_version\nLatest LTS: $latest_version\nTime: $(date)"
    exit 0
fi

########################################
# Backup current installation
########################################

backup_dir="roundcube_backup_v${installed_version}_$(date +%F_%H%M%S)"

echo "Creating backup: $backup_dir"
cp -a roundcube "$backup_dir"

########################################
# Download release
########################################

filename=$(basename "$download_url")

echo "Downloading $filename"
curl -fL -o "$filename" "$download_url"

########################################
# Verify SHA256
########################################

echo "Verifying checksum..."
sha256_actual=$(sha256sum "$filename" | awk '{print $1}')

if [[ "$sha256_actual" != "$sha256_expected" ]]; then
    echo "Checksum verification FAILED!"
    rm -f "$filename"
    send_email "Server: `hostname`\nUpdate FAILED" "Status: Roundcube update failed!\nInstalled version: $installed_version\nLatest version: $latest_version\nBackup: $backup_dir\nReason: SHA256 mismatch or extraction failure\nTime: $(date)"
    exit 4
fi

echo "Checksum OK."

########################################
# Extract + Install
########################################

echo "Extracting..."
tar -xzf "$filename"

src_dir="roundcubemail-$latest_version"

if [[ ! -d "$src_dir" ]]; then
    echo "Extraction failed. Directory $src_dir not found."
    exit 5
fi

echo "Running install script..."
yes | "$src_dir/bin/installto.sh" "$INSTALL_DIR"

########################################
# Fix permissions
########################################

chown -R "$OWNER" roundcube

########################################
# Cleanup
########################################

rm -rf "$src_dir" "$filename"

echo "Update completed successfully!"
echo "Now running version: $latest_version"

send_email "Update successful.\nStatus: Roundcube updated: $installed_version -> $latest_version\nBackup: $backup_dir"


I tested the script some time and it worked fine for me. However, please note, you use the script on your own risk (MIT License) )

12

Information / Re: Getting a [!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found

« Last post by DaveF on February 21, 2026, 07:22:00 PM »

Yes, that script gives the same worrying message on my servers. But it looks to be all-scare, not a legitimate security issue. Most odd thing is the 507 user:group ownership -- no longer valid, so probably more cleanup CWP needs to do.

OK, I'll stop having a panic attack now :-)
That or we are both screwed.....

-Dave

13

Information / Re: Getting a [!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found

« Last post by overseer on February 21, 2026, 04:42:32 PM »

Yes, that script gives the same worrying message on my servers. But it looks to be all-scare, not a legitimate security issue. Most odd thing is the 507 user:group ownership -- no longer valid, so probably more cleanup CWP needs to do.

14

Information / Re: Getting a [!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found

« Last post by DaveF on February 21, 2026, 04:21:53 PM »

@overseer
Yes Alma 8
File is showing as 1.34MB in the gui file explorer. All the dates are the same so I would think it's legit.
But the warning is kind of worrying coming out of nowhere on a new build.

Code: [Select]

[root@localhost ~]# ls -l /usr/local/ioncube/ioncube_loader_lin_7.2.so
-rw-rw-r-- 1 507 507 1407568 Sep  9  2023 /usr/local/ioncube/ioncube_loader_lin_7.2.so


Is your server flagging it?

Thanks,
Dave

15

Updates / Re: [SECURITY ALERT] Unauthorized port / [SECURITY ALERT] Unknown/Untrusted file..

« Last post by overseer on February 21, 2026, 02:14:59 PM »

I have the /usr/lib64/gconv/gconv-modules.cache file on my AlmaLinux 8 servers (28K in size). Seem like a normal harmless cache file. Maybe the recent update attempts to tighten up security, but is generating false positives.

Indeed, look at the new cron job that runs cwp_security_audit:

Code: [Select]

[root@srv1]# ls -al /etc/cron.daily/cwp_security_audit.sh
-rwxr-xr-x 1 root root 31 Feb 17 18:40 /etc/cron.daily/cwp_security_audit.sh

16

Information / Re: Getting a [!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found

« Last post by overseer on February 21, 2026, 02:13:02 PM »

What operating system? I have that file (1.4M in size) on my AlmaLinux 8 servers. I assume it's necessary to decrypt & load the CWP core, which is still running on the hobbling old PHP 7.2 (even though the files are labeled PHP 7.1, it is really 7.2).

Looks like the recent update added the security audit and automatically enrolled servers to run it. Look at the new cron job that runs cwp_security_audit:

Code: [Select]

[root@srv1]# ls -al /etc/cron.daily/cwp_security_audit.sh
-rwxr-xr-x 1 root root 31 Feb 17 18:40 /etc/cron.daily/cwp_security_audit.sh

17

Updates / [SECURITY ALERT] Unauthorized port / [SECURITY ALERT] Unknown/Untrusted file..

« Last post by venty on February 21, 2026, 11:08:35 AM »

Hi,

Please help, today, after I entered the CWP panel, I have two new messages:

[SECURITY ALERT] Unknown/Untrusted file: /usr/lib64/gconv/gconv-modules.cache

and

[SECURITY ALERT] Unauthorized port, for more info run: sh /scripts/cwp_security_audit

The installation is AL 9.7, and there were a lot of updates yesterday.

Please help...

Thanks in advance, and have a nice day!

BR
Venty

18

Information / Getting a [!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found

« Last post by DaveF on February 21, 2026, 05:19:16 AM »

Anyone getting this security error?
Seems serious, BUT I just setup a new server, still sitting on a private IP and got it so now I'm not sure.

sh /scripts/cwp_security_audit
------------------------------------------------------
[INFO] Auditing cwpsrv (PID: 156548)
[OK] cwpsrv looks clean.
------------------------------------------------------
[INFO] Auditing php-fpm-cwp (PID: 1086)
[!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found:
php-fpm 1086 root  DEL       REG              253,0             1837740 /usr/local/ioncube/ioncube_loader_lin_7.2.so
Error:Can't add notification!------------------------------------------------------
[INFO] Auditing apache (PID: 157091)
[OK] apache looks clean.
------------------------------------------------------

19

Other / Re: Goodbye CWP — I’m done for good

« Last post by matrix4495 on February 19, 2026, 05:54:20 AM »

Completely agree with Jaspreet Singh.

This project seems to be dead, as we have not received any updates since Nov 2024, and there is no support on the forum either.

Some time ago, I contacted the CWP team, and they said they were working, but they blocked me then. There are a few members who are running the forum by just saying "CWP Team is working, CWP is not dead, blah blah, etc.." and a few of them are sharing their article users, but the actual CWP team doesn't bother looking at the forum.

It's time to move on

Project is NOT DEAD. Not sure why you keep posting that line...

CWP pushed an update today (2026-02-18)  0.9.8.1222.
And before that 0.9.8.1221 was pushed on 2026-02-02

It's personal preference if you want to stop using CWP and 'move on'

I've tested other panels, and they all have CVEs and can not be kept updated as easily as CWP can be.
Some don't even have the features CWP has, and cost $$$ more.

Can CWP do better with some things, yes.

Clarifying “dead” vs “production-viable” (and what I’m asking for)

Nobody is saying “no code ever ships” or “the installer stops working.” The point is operations reality : predictable maintenance, transparent communication, and accountable support.

Right now, what’s missing (for me, and for others replying here) is official clarity :

• Release notes / changelog transparency:
  Version numbers being pushed is not a changelog. A serious production panel needs release notes that answer:
  
  • What changed?
  • What was fixed?
  • What was removed/broken?
  • What security issues were addressed (with references)?
  If there is an official changelog for 2025–2026, please link it. If not, that’s exactly the problem.
• Security cadence & accountability:
  “All panels have CVEs” is true and irrelevant. The question is: how fast are fixes shipped and communicated?
  Please provide:
  
  • The last 5 high/critical CVEs that affected CWP’s stack
  • For each: disclosure date → patch date → where it was documented
  Without that, admins are forced into DIY patching and custom scripts to stay safe which is not acceptable for client workloads.
• Roadmap (missing or opaque):
  This is the biggest gap. A roadmap isn’t “talk.” It’s a public commitment with dates (even if approximate) and scope.
  Examples of what operators need to know:
  
  • PHP cadence: When are 8.4 and 8.5 planned, and what is the official method (repo/channel) and support window?
  • OS support: Which distro versions are officially supported today, and until when? What is the plan for newer major OS releases?
  • Core components roadmap: web stack changes, mail stack changes, kernel/openssl compatibility, DB stack changes  what is planned and what is not?
  • Breaking changes policy: How are breaking changes communicated and how are rollbacks handled?
  • EOL policy: What is the official end-of-support policy for older stacks?
  If the answer is “use a community guide” or “you can DIY it,” that’s precisely confirming the ops problem: we’re building the missing roadmap ourselves.
• Support reality:
  Community help is appreciated but it is not the same as official support. 
  If the official support channel exists, please share:
  
  • Where to file issues
  • Expected response time
  • What’s covered vs not covered
  Forum replies and unofficial “help hubs” can’t replace accountability when clients are paying and uptime/security matter.
• Production-grade features (example: DNS cluster):
  If DNS clustering is considered production-ready, please link the official documentation/design and the supported failure modes (sync model, consistency, recovery, monitoring).
  If it requires custom scripts to be stable and predictable, then it’s not production-grade.

So my position stays simple:
If someone wants to argue “Project is NOT DEAD,” that’s fine but then please answer with links and specifics:

• Official changelog/release notes (2025–2026)
• CVE fix timelines (disclosure → patch → documentation)
• Official roadmap (PHP + OS support + core stack + policy)
• Official support channel + expectations

On the “but it’s cheaper” argument (price vs total cost)

Cost is not the point being debated predictable operations are.

Yes, other panels can be more expensive up-front. But the real comparison for anyone running client workloads is TCO (Total Cost of Ownership):

• Admin time: Hours spent firefighting, writing custom scripts, applying workarounds, and reverse-engineering changes.
• Security exposure: Slow fixes + unclear advisories increases risk, and one incident costs more than years of license fees.
• Downtime cost: Outages, mail issues, broken updates your time + customer churn + reputational damage.
• Opportunity cost: Time wasted on panel survival is time not spent growing the business.

So “it’s cheaper” is not a rebuttal to missing changelogs, missing roadmap, slow security response, or support gaps.
It only proves this: some users accept those risks because their use-case is static and price-sensitive. That’s fine.
But for production hosting where accountability matters, cheap without transparency becomes expensive.

If a “cheap” panel costs even 2–3 extra hours/week in babysitting, that alone can exceed the license price difference before counting downtime or security incidents.

Until those exist publicly and consistently, calling it “alive” doesn’t help the people running production. 
That’s why I moved on. No drama just operational facts.

20

Other / Re: Goodbye CWP — I’m done for good

« Last post by overseer on February 19, 2026, 04:35:37 AM »

Goodbye CWP, I’m done for good.

Okay, goodbye. We'll miss your contribution here.

I for one (and my customers obviously agree) do NOT want rapid change. Slow, gradual iterative improvement is welcome as long as it doesn't introduce new bugs and CVEs. They do not want or need the kitchen sink of features nor do they want a fresh GUI for the sake of... something. They would revolt if the webmail suddenly changed from Roundcube to Rainloop. They want consistency. As long as their (fairly static) site is up and they can check their e-mail, they are happy.

Yes, they will want PHP 8.4 and someday 8.5. But 8.1 and 8.3 meets the minimum requirements of my most demanding customers. If I absolutely needed it, there are guides on AlphaGNU on how to install it. Changelogs would be nice, but are not strictly necessary. TBH, I maybe reference one or two changelogs per year. Time is too precious to pore over them, unless there's a specific CVE I need to address.

As for other panels, sure there are many, but they are 3x, 5x, or 10x the price of CWP. CWP is the sweet spot of price and features for me. Once cPanel went for the greed grab and upped their pricing tiers to the stratosphere, I jumped ship and haven't looked back. Now most panels set their reference pricing to cPanel, so most of them are out of reach. But if it would motivate the CWP team to increase their cadence and communication and hire more devs & support staff, I would pay 1.5x to 2x what I pay now for CWP Pro. But paying more, I would expect more. Right now, for the price point, I feel I am getting a good value for my money. Look around -- I have and I know Starburst has. Nothing is as good at this price point.