Messages

1

PHP / Re: When will PHP 8.4 be released in CWP?

« on: October 23, 2025, 02:53:48 PM »

The fact that i am stating that CWP is lacking in updates, is a fact. Im not dumb to state that everything is OK, when you cannot provide me ONE SIMPLE THING about CWP that have been done in the last 1-2 years! That is a fact...

The major work over the last year has been to transition out of CentOS 7 EOL and provide full support for EL8 distributions, with both a delayed repository (for CentOS 8 Stream) and for stable EL8 versions. This lays the groundwork for full EL9 support (which is currently in beta). So it's a big path forward after Red Hat pulled the rug out from under everyone using CentOS. Given this is Enterprise Linux, I would rather have a truly stable, long term supported foundation rather than shiny new features.

And now ConfigServer and Way to the Web pulled the rug out from everyone by closing up shop. At least they left ConfigServer Firewall as GPLv3 code so work can continue on it.

2

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 23, 2025, 02:43:50 PM »

I'm not sure if the File Manager issue is resolved with the update

https://fenrisk.com/rce-centos-webpanel

Conclusion
This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server.

The vulnerability has been patched on latest version 0.9.8.1205 during June 2025.

Timeline
13/05/2025: First contact with CWP.
23/05/2025: CVE-2025-48703 assigned.
18/06/2025: Patch available on version 0.9.8.1205.

3

Apache / Re: rebuild vhosts

« on: October 23, 2025, 01:24:29 PM »

Not that I'm aware of...
https://wiki.centos-webpanel.com/rebuild-apache-vhosts

4

PHP / Re: When will PHP 8.4 be released in CWP?

« on: October 23, 2025, 02:34:18 AM »

I am only trying to defuse the seemingly weekly threads that keep popping up here decrying CWP as "dead" -- which is NOT true.

What features are you wanting? Feel free to suggest it to their comment/bug report form. They are responsive there. (I for one do not want CWP to become as bloated as WHM and cPanel have become -- in an effort to include more and more features, their interface has become increasingly cluttered and difficult to navigate for end users.)

If this is your hosting company: https://host.tugatech.com.pt -- then I only see cPanel or Plesk offered, not CWP.
And if this is your GitHub repository, you only have a cPanel script, nothing for CWP:
https://github.com/djprmf
Hence my question, are you a cPanel evangelist? Are you a CWP user at all?

5

Mod_Security / Re: OWASP Latest

« on: October 22, 2025, 06:33:07 PM »

You've got to find the initial access webshell.

6

CSF Firewall / Re: Firewall off in cwp panel

« on: October 22, 2025, 06:31:54 PM »

If it's any comfort, it did this to me once -- and eventually just sorted itself out.

7

Updates / Re: ..no dir...

« on: October 22, 2025, 01:57:31 PM »

typo -- "Should take care of the notification."

8

PHP / Re: When will PHP 8.4 be released in CWP?

« on: October 22, 2025, 01:56:18 PM »

Are you the local cPanel evangelist? I'm tired of the Chicken Little weather reports about CWP -- "The sky is falling! The sky is falling!"

9

CentOS 9 Problems / Re: monit with AL9

« on: October 22, 2025, 01:27:50 AM »

Or is it... annual release cadence for new PHP versions?

10

Other / Re: Nginx Varnish Apache php-fpm 403 Forbidden

« on: October 21, 2025, 07:56:55 PM »

Sandeep gives all the details in his blog post (linked above) -- Redis Object Cache (which can still be used with other caching methods).

11

CentOS 9 Problems / Re: monit with AL9

« on: October 21, 2025, 01:26:02 PM »

CWP devs put in an occasional appearance here in the forum (Josemnunez, Igor, Sandeep). Their release cadence seems to be about once a month with bug fixes and new PHP versions. Wish there were changelogs detailing the changes so we can know what's going on under the hood, but we'll take what we can get!

You can set your update cycle in CWP Settings > Edit Settings in order to get the latest updates faster, or stay on a delayed track that is at least 2 weeks behind the latest for further testing. I haven't been noticeably bitten by going with "Latest", so that's what my servers are set for.

12

DNS / Re: Pointing domain to another folder

« on: October 19, 2025, 09:51:52 PM »

Depends on your need -- but in the modern era, I would think the .ssl.conf file would actually be the primary and the non-https would actually be secondary (and probably 301 redirect to the https version anyway.

13

CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

« on: October 19, 2025, 06:10:57 PM »

your problem is 100% related to this topic.

Just to be clear, the CVE originally discussed in this thread was patched by the CWP devs in early July. Any exploit since then pertains to a whole class of PHP injection attacks that are an unfortunate reality of being a sysadmin / webmaster these days. You need to know how to harden your PHP installation and set some minimum barriers up around your web sites (web application firewalls). There used to be a setting called "DontBlameSendmail" -- but in this case, Don't Blame CWP. The onus is on YOU the sysadmin to secure your system.

14

Updates / Re: ..no dir...

« on: October 19, 2025, 12:56:52 PM »

I don't see that error on AL8. You could try setting install_weak_deps=False in /etc/dnf/dnf.conf

15

DNS / Re: Pointing domain to another folder

« on: October 19, 2025, 12:42:56 PM »

Under WebServers Conf Editor, edit the vhost configuration to point to your desired web root.