Control Web Panel
WebPanel => PHP => Topic started by: MyBuddyBen on July 15, 2020, 01:09:16 PM
-
I ran a security scanner on the CWP service, and it noticed a DoS vulnerability in the CWPPHP
According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x
prior to 7.2.31, 7.3.x prior to 7.3.18 or 7.4.x prior to 7.4.6. It is, therefore, affected by a denial of service (DoS)
vulnerability in its HTTP file upload component due to a failure to clean up temporary files created during the file
upload process. An unauthenticated, remote attacker can exploit this issue, by repeatedly submitting uploads
with long file or field names, to exhaust disk space and cause a DoS condition.
Solution
Upgrade to PHP version of CWPPHP in Yum to 7.2.31, 7.3.18, 7.4.6 or later.
Risk Factor
Medium
CVSS v3.0 Base Score
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVSS v3.0 Temporal Score
4.6 (CVSS:3.0/E:U/RL:O/RC:C)
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)
STIG Severity
15
I
References
CVE CVE-2019-11048
XREF IAVA:2020-A-0221
-
I see your post is from July. Hopefully you found it in CWP.
Using the PHP Selector, Up to 7.2.33 is available.
-
Starburst that are only the PHP for hosted PHP, the PHP version CWPSRV use are old
check your self via
yum info cwpphp
PS. this are also the old PHP version used for build-in phpmysqladmin and WebMail (RoundCube), again just check.
-
It's now 3(!) years later and CWP is still using PHP 7.2.30:
Detected CVEs for PHP 7.2.30 with CVSS above 7.0.
Is there any way to update the php version used by CWP control panel? I can only update the PHP version used by web sites.
Or is there a way to only make CWP control panel accessible via VPN?
-
It's now 3(!) years later and CWP is still using PHP 7.2.30:
Detected CVEs for PHP 7.2.30 with CVSS above 7.0.
Is there any way to update the php version used by CWP control panel? I can only update the PHP version used by web sites.
Or is there a way to only make CWP control panel accessible via VPN?
This question was answered. CWP uses IonCube encoder. For them to update beyond 7.2 currently, they will have to But a newer version of the encoder. I don't think that's going to happen anytime soon, unless IonCube pulls their heads out of their rear ends and come back to reality. They litterally charge $200 for EVERY version of PHP (8.0, 8.1, 8.2) The cost just can't be justified with PHP coming out almost quarterly at this rate.
-
Is that really true? According to their web site, their PHP Encoder 13 is working with PHP 4, 5, 7 and 8 up to 8.2:
https://www.ioncube.com/php_encoder.php
Anyway, another option would be putting a HTTP password on the page, so the vulnerable PHP wouldn't be exposed to the entire world. But I cannot find the directory of the panel to do this...
-
Yes, really true. Supported versions are paid in license fee per version.
You could look at snuffalupagus for PHP v 7.2 if it really concerns you. Other security measures include change CWP admin ports. Tune your firewall, block country codes, etc.
-
I wouldn't mind helping @Sandeep to get the ionCube 13 Encoder.
Seems like without it CWP 9 is at a standstill.
Other option would be to go Un Encoded, and make it Open Source.
-
I own 12.0.2 which could do PHP8, but never received a response when I applied to help on the project.