Recent Posts
81
Information / Re: Is CWP still maintained?
« Last post by djprmf on October 09, 2025, 01:32:24 PM »The RCE with CWP wasn't fixed? And by who?
Or now CWP doesn't uses PHP anymore? By your logic then.... this isn't fixable, since is a "PHP Thing"... so....
Or now CWP doesn't uses PHP anymore? By your logic then.... this isn't fixable, since is a "PHP Thing"... so....
82
Information / Re: Is CWP still maintained?
« Last post by Starburst on October 09, 2025, 01:28:05 PM »Then, by your logic, we should blame the creators of the binary... because they created this digital thing.
Or we should blame the creators of guns... not who use them and for what...
You don't really see how your logic makes no sense?
I'm placing blame where is belongs - with PHP...
Quote
The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
So are all the CVE's of this PHP vulnerability.
Servers that where correctly secured where not affected.
83
Information / Re: Is CWP still maintained?
« Last post by djprmf on October 09, 2025, 01:26:13 PM »Then, by your logic, we should blame the creators of the binary... because they created this digital thing.
Or we should blame the creators of guns... not who use them and for what...
You don't really see how your logic makes no sense?
Or we should blame the creators of guns... not who use them and for what...
You don't really see how your logic makes no sense?
84
Information / Re: Is CWP still maintained?
« Last post by Starburst on October 09, 2025, 01:26:03 PM »Here is the fix to apply to your php.ini
The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
This is also blocked by ModSecurity and the OWASP CRS ruleset when correctly configured.
The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
This is also blocked by ModSecurity and the OWASP CRS ruleset when correctly configured.
85
Information / Re: Is CWP still maintained?
« Last post by Starburst on October 09, 2025, 01:17:44 PM »Yes, they are responsible for the software they create, but they DID NOT CREATE PHP...
And that's where this vulnerability is located.
You are blaming CWP in your posts
You need to goto the PHP forums and blame them, as they are the ones who a responsible for the software they created.
Tell me where in the below it mentions CWP, or even cPanel, aaPanel, etc...
--
SUBJECT:
Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
And that's where this vulnerability is located.
You are blaming CWP in your posts
Quote
THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!for something they had NO control over. And hence it wasn't a CWP bug to even 'disclose' or responsible for.
You need to goto the PHP forums and blame them, as they are the ones who a responsible for the software they created.
Tell me where in the below it mentions CWP, or even cPanel, aaPanel, etc...
--
SUBJECT:
Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
86
Information / Re: Is CWP still maintained?
« Last post by djprmf on October 09, 2025, 01:06:12 PM »dude, no one is blaming CWP for the RCE... that is a PHP thing, exist since PHP exist...
What you don't understand that is NOT *the* vulnerability, but the LACK OF INFORMATION to acknowledge the vulnerability from the CWP side?
CWP had a vulnerability. THAT IS FINE.... if they fix it and disclosure it.
They fix it. Great!
But the disclosure? NO!
Every single one of the panels that you state HAVE disclosure the vulnerability in they software. Because - and again, becase you apparently cannot understand this - THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!
CWP did not disclosure that. They prefer hide it under a "update", that you don't even know what is. Or do you have a changelog for the versions lauch?
What you don't understand that is NOT *the* vulnerability, but the LACK OF INFORMATION to acknowledge the vulnerability from the CWP side?
CWP had a vulnerability. THAT IS FINE.... if they fix it and disclosure it.
They fix it. Great!
But the disclosure? NO!
Every single one of the panels that you state HAVE disclosure the vulnerability in they software. Because - and again, becase you apparently cannot understand this - THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!
CWP did not disclosure that. They prefer hide it under a "update", that you don't even know what is. Or do you have a changelog for the versions lauch?
87
Information / Re: Is CWP still maintained?
« Last post by Starburst on October 09, 2025, 01:00:50 PM »Here is the CVE, and even advised has to secure against it, dated 2024-09-27...
https://www.wiz.io/blog/critical-rce-php-cgi-vulnerability
But @cyberpscae is correct.
https://www.wiz.io/blog/critical-rce-php-cgi-vulnerability
But @cyberpscae is correct.
88
Information / Re: Is CWP still maintained?
« Last post by cyberspace on October 09, 2025, 12:57:52 PM »Guys, the annual Pro license of CWP costs $12 ($1/month). You can consider it as donation because no one can provide high quality support service for such price. So just expect as much as much you pay.
So if you run serious business and care about your product then consider to use the enterprise level control panel like cPanel, DirectAdmin, Plesk, etc. However, cPanel has some mail vulnerabilities/security breaches and their team doesn't care to fix it.
"Every program (control panel) has vulnerabilities, if the program (control panel) doesn't have vulnerabilities then it means no one uses this program or it is useless."
So if you run serious business and care about your product then consider to use the enterprise level control panel like cPanel, DirectAdmin, Plesk, etc. However, cPanel has some mail vulnerabilities/security breaches and their team doesn't care to fix it.
"Every program (control panel) has vulnerabilities, if the program (control panel) doesn't have vulnerabilities then it means no one uses this program or it is useless."
89
Information / Re: Is CWP still maintained?
« Last post by Starburst on October 09, 2025, 12:53:41 PM »One more time, apparently I have to be very KISS with you...
The RCE Vulnerability was a PHP RCE VULENABILITY
That affected, CWP, cPanel, aaPanel, and MANY Others that run PHP...
You just singling out and blaming CWP IS mis-information, and not the root cause.
Please go use cPanel or some other control panel.
The RCE Vulnerability was a PHP RCE VULENABILITY
That affected, CWP, cPanel, aaPanel, and MANY Others that run PHP...
You just singling out and blaming CWP IS mis-information, and not the root cause.
Please go use cPanel or some other control panel.
90
Information / Re: Is CWP still maintained?
« Last post by djprmf on October 09, 2025, 12:53:34 PM »TLDR: If you develop something, you ARE responsible for the security of that thing. Just because you have an error in the code, security issue, or anything in the thing that you develop, that doesn't make you any less responsible for it.
yes, you should fix it. But if is something that OTHERS WILL USE, you should ALSO report that to everyone, not sweep under the rug....
And no: you cannot excuse the issue just because others had it. That is not any of this works.... never had been.
yes, you should fix it. But if is something that OTHERS WILL USE, you should ALSO report that to everyone, not sweep under the rug....
And no: you cannot excuse the issue just because others had it. That is not any of this works.... never had been.
