This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
PHP / Need to upgrade CWPPHP from 7.2.30 to at least 7.2.31
« on: July 15, 2020, 01:09:16 PM »
I ran a security scanner on the CWP service, and it noticed a DoS vulnerability in the CWPPHP
According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x
prior to 7.2.31, 7.3.x prior to 7.3.18 or 7.4.x prior to 7.4.6. It is, therefore, affected by a denial of service (DoS)
vulnerability in its HTTP file upload component due to a failure to clean up temporary files created during the file
upload process. An unauthenticated, remote attacker can exploit this issue, by repeatedly submitting uploads
with long file or field names, to exhaust disk space and cause a DoS condition.
Solution
Upgrade to PHP version of CWPPHP in Yum to 7.2.31, 7.3.18, 7.4.6 or later.
Risk Factor
Medium
CVSS v3.0 Base Score
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVSS v3.0 Temporal Score
4.6 (CVSS:3.0/E:U/RL:O/RC:C)
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)
STIG Severity
15
I
References
CVE CVE-2019-11048
XREF IAVA:2020-A-0221
According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x
prior to 7.2.31, 7.3.x prior to 7.3.18 or 7.4.x prior to 7.4.6. It is, therefore, affected by a denial of service (DoS)
vulnerability in its HTTP file upload component due to a failure to clean up temporary files created during the file
upload process. An unauthenticated, remote attacker can exploit this issue, by repeatedly submitting uploads
with long file or field names, to exhaust disk space and cause a DoS condition.
Solution
Upgrade to PHP version of CWPPHP in Yum to 7.2.31, 7.3.18, 7.4.6 or later.
Risk Factor
Medium
CVSS v3.0 Base Score
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVSS v3.0 Temporal Score
4.6 (CVSS:3.0/E:U/RL:O/RC:C)
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)
STIG Severity
15
I
References
CVE CVE-2019-11048
XREF IAVA:2020-A-0221
2
New Modules / [module] Force Update CWP Checker Module from Panel
« on: April 04, 2018, 02:54:20 PM »Version 1.1
Updated: 04/04/2018
I have made a user-friendly simple module to Force the command that checks for an update on CWP. Simple and friendly
Source of software: http://centos-webpanel.com
Location of PHP file: https://cwpaddons.b-cdn.net/install/update-cwp.php
How to install
---FTP method:
1) Upload update-cwp.php to CWP server in /usr/local/cwpsrv/htdocs/resources/admin/modules
Download update-cwp.php: https://cwpaddons.b-cdn.net/install/update-cwp.php
2) Open URL: yourdomain.tld/admin/index.php?module=update-cwp
3) Click the Install button
---Console method:
1) cd /usr/local/cwpsrv/htdocs/resources/admin/modules
2) wget -O update-cwp.php https://cwpaddons.b-cdn.net/install/update-cwp.php
3) Open Url: yourdomain.tld/admin/index.php?module=update-cwp
4) Click "Install" button
3
New Modules / [module] I2P Anonymous Network Private darkweb internet Installer
« on: April 04, 2018, 12:07:20 AM »Version 1.1
Updated: 04/03/2018
I have made a user-friendly simple addon to install, uninstall, start, and stop I2P on a server.
Source of software: https://geti2p.net/en/
Location of PHP file: https://cwpaddons.b-cdn.net/install/i2p.php
How to install
---FTP method:
1) Upload i2p.php to CWP server in /usr/local/cwpsrv/htdocs/resources/admin/modules
Download i2p.php: https://cwpaddons.b-cdn.net/install/i2p.php
2) Open URL: yourdomain.tld/admin/index.php?module=i2p
3) Click the Install button
---Console method:
1) cd /usr/local/cwpsrv/htdocs/resources/admin/modules
2) wget -O i2p.php https://cwpaddons.b-cdn.net/install/i2p.php
3) Open Url: yourdomain.tld/admin/index.php?module=i2p
4) Click "Install" button
Donation
Send a donation to MyBuddyBen
4
How to / How to backup CWP server to B2 Backblaze
« on: November 03, 2016, 03:36:35 PM »
How to backup CWP to B2 Backblaze
I wrote a long article/guide on how to completely backup your server (CWP, files, Mysql databases, everything), compress it, encrypt it, and then upload it to B2 Backblaze (Which is WAY Cheaper than Amazon S3)
You can read it here, https://mybuddyben.com/technology/full-backup-linux-server-b2-backblaze-hashbackup/
I hope you guys will enjoy the guide and find it useful. Perhaps the CWP admin team can take the guide and make a simple addon to the CWP panel do automate the process. Would be nice wouldn't it?
I wrote a long article/guide on how to completely backup your server (CWP, files, Mysql databases, everything), compress it, encrypt it, and then upload it to B2 Backblaze (Which is WAY Cheaper than Amazon S3)
You can read it here, https://mybuddyben.com/technology/full-backup-linux-server-b2-backblaze-hashbackup/
I hope you guys will enjoy the guide and find it useful. Perhaps the CWP admin team can take the guide and make a simple addon to the CWP panel do automate the process. Would be nice wouldn't it?
5
Suggestions / Use Rainloop instead of Roundcube
« on: September 12, 2016, 03:46:24 PM »
Anybody that is using Varnish cache may run into issues with Roundcube messing up.. Well have no fear! I had the same issue.
So I switched from Roundcube to Rainloop (http://www.rainloop.net/) and works flawlessly.
After installing it, put this in your default.vcl and restart Varnish Server. It worked for me!
It's way more modern and has a better design to it than Roundcube to me.
sub vcl_recv {
if (req.url ~ "^/rainloop") {
return (pass);
}
if (!(req.url ~ "rainloop")) {
unset req.http.cookie;
}
if (req.url ~ "rainloop") {
return(pipe);
}
}
sub vcl_hash {
if(req.url !~ "^/(rainloop).*$" ){
set req.url = regsuball(req.url,"\?.*$","");
}
}
sub vcl_fetch {
if (req.url ~ "^/rainloop") {
return (hit_for_pass);
}
}
So I switched from Roundcube to Rainloop (http://www.rainloop.net/) and works flawlessly.
After installing it, put this in your default.vcl and restart Varnish Server. It worked for me!
It's way more modern and has a better design to it than Roundcube to me.
sub vcl_recv {
if (req.url ~ "^/rainloop") {
return (pass);
}
if (!(req.url ~ "rainloop")) {
unset req.http.cookie;
}
if (req.url ~ "rainloop") {
return(pipe);
}
}
sub vcl_hash {
if(req.url !~ "^/(rainloop).*$" ){
set req.url = regsuball(req.url,"\?.*$","");
}
}
sub vcl_fetch {
if (req.url ~ "^/rainloop") {
return (hit_for_pass);
}
}
6
PHP / Use PHP 7 for the Centos Web Panel
« on: August 06, 2016, 04:22:27 PM »
Okay Igor and CWP Team.
Super glad you guys added the PHP selector option.
Now how about we get the actual CWP Panel running on php 7 as well?
We know it is using the PHP5 version, so why not upgrade and enjoy the sweet speed benefits of it?
Super glad you guys added the PHP selector option.
Now how about we get the actual CWP Panel running on php 7 as well?
We know it is using the PHP5 version, so why not upgrade and enjoy the sweet speed benefits of it?
7
PHP Selector / Add PHP 7.0.8 in PHP Selector!
« on: July 12, 2016, 10:38:53 PM »
Okay, so the newest PHP 7.1.0 (which php selector installs currently with 7.x selected) breaks a lot of WordPress sites which use older plugins. It happened today to me when moving from 7.0.1 to 7.1.0. Broke a lot of sites!
So now I had to downgrade to 5.6 because I can't go back to the latest STABLE 7.x (Which is 7.0.8 according to php.net on this page http://php.net/downloads.php)
Please add "Latest 7.x STABLE" to the list in PHP Selector.
Thank you! I hope this gets done soon as I'm sure everyone wants to use the benefits from 7.0
So now I had to downgrade to 5.6 because I can't go back to the latest STABLE 7.x (Which is 7.0.8 according to php.net on this page http://php.net/downloads.php)
Please add "Latest 7.x STABLE" to the list in PHP Selector.
Thank you! I hope this gets done soon as I'm sure everyone wants to use the benefits from 7.0
8
Postfix / The addon mail_queue_addon does not exist
« on: July 05, 2016, 07:55:48 PM »
When I view a message/email in the mail_queue (http://IP:2082/index.php?module=mail_queue) I see the new interface in CWP, but after waiting a moment for the message to load I see it reload the CWP interface inside the frame and I see this message under "Attachements" section
"The addon mail_queue_addon does not exist"
This started after CWP updated I do believe.
So I can't view any messages in the mail queue at this time.
"The addon mail_queue_addon does not exist"
This started after CWP updated I do believe.
So I can't view any messages in the mail queue at this time.
9
Apache / Need HTTP/2 support with Apache
« on: February 19, 2016, 01:50:29 PM »
As you may or may have not heard, Chrome will drop support for SPDY SSL in May. So it's best practice to go ahead and upgrade your ssl protocol to HTTP/2, sadly the apache version (2.2.27) that comes with CWP doesn't support HTTP/2 I believe. Correct me if I'm wrong.
But we need the next version of CWP to support HTTP/2 SSL.
Unless you can provide documentation below of how we can go ahead and do it ourselves.
Thanks!
But we need the next version of CWP to support HTTP/2 SSL.
Unless you can provide documentation below of how we can go ahead and do it ourselves.
Thanks!
10
New Modules / [module] Cloudflare - Simple 1-click install or uninstall
« on: January 07, 2016, 03:46:39 PM »NOTICE: DO NOT INSTALL YET, there is an issue! Please wait for next version
This is a very fast, and easy way to one-click install Cloudflare apache module and also to remove it from the httpd.conf if you want. I'd like you to test and confirm it worked for you as it has for me. I did write this, so it's bound to have something wrong, so please look over it and see what you think.
Features:
- One-Click install or Uninstall Cloudflare from Apache
- Checks to see if Cloudflare is already installed Apache
- You will need to restart apache after installing cloudflare, do this from the CWP Dashboard.
- Restores Original Visitor's IP address to your server logs
NOTICE: DO NOT INSTALL YET, there is an issue! Please wait for next version
I just tried doing it on a new server and it REALLY messed up the apache.... I'm not going to go deeper in this because I think I misunderstood how this works. Basicly what you need is to install cloudflare with the mod_cloudflare.so then add the
LoadModule cloudflare_module /usr/lib64/httpd/modules/mod_cloudflare.so
to your /usr/local/apache/conf/httpd.conf and restart apache. I was trying to install httpd-devel which I think messes it all up bad. You can read more here about installing cloudflare (https://www.cloudflare.com/resources-downloads/).
Perhaps someone can branch this code I started and make it better or perfect.
I just tried doing it on a new server and it REALLY messed up the apache.... I'm not going to go deeper in this because I think I misunderstood how this works. Basicly what you need is to install cloudflare with the mod_cloudflare.so then add the
LoadModule cloudflare_module /usr/lib64/httpd/modules/mod_cloudflare.so
to your /usr/local/apache/conf/httpd.conf and restart apache. I was trying to install httpd-devel which I think messes it all up bad. You can read more here about installing cloudflare (https://www.cloudflare.com/resources-downloads/).
Perhaps someone can branch this code I started and make it better or perfect.
Latest Version: 1.1
Screenshots
Installation
Add this line to:/usr/local/cwpsrv/htdocs/resources/admin/include/3rdparty.php
Quote
<li><a href="index.php?module=cloudflare"><span class="icon16 icomoon-icon-arrow-right-3"></span>Cloudflare</a></li>
Then create a new file called "cloudflare.php" on:
/usr/local/cwpsrv/htdocs/resources/admin/modules
with this content:
Quote
<center><h2>Cloudflare Apache Module Installer</h2><h3>Version: 1.1</h3><a href="http://forum.centos-webpanel.com/new-modules/(module)-cloudflare-simple-1-click-install-or-uninstall/" target="_blank"><button type="button" class="btn btn-primary">Check for Update</button></a><hr></center>
<?php
$file = '/usr/local/apache/conf/httpd.conf';
$searchfor = 'LoadModule cloudflare_module /usr/lib64/httpd/modules/mod_cloudflare.so';
// get the file contents, assuming the file to be readable (and exist)
$contents = file_get_contents($file);
// escape special characters in the query
$pattern = preg_quote($searchfor, '/');
// finalise the regular expression, matching the whole line
$pattern = "/^.*$pattern.*\$/m";
// search, and store all matching occurences in $matches
if(preg_match_all($pattern, $contents, $matches)){
echo "<p class='text-success'>Cloudflare is installed already!</p>\n
<form action='' method='post'>
<button type='submit' name='uninstall' class='btn btn-danger'>Uninstall Cloudflare</button>
</form>
";
}
else{
echo "
<center><strong>Run these commands as root in SSH terminal</strong></center>
<pre>
mkdir /usr/local/cwpsrv/htdocs/resources/admin/modules/cloudflare
cd /usr/local/cwpsrv/htdocs/resources/admin/modules/cloudflare
wget https://www.cloudflare.com/static/misc/mod_cloudflare/mod_cloudflare.c
apxs -a -i -c mod_cloudflare.c
</pre>
Then click the green button below; then afterward go to the CWP Dashboard and Restart Apache
<p class='text-success'>Cloudflare is not installed!</p>\n
<form action='' method='post'>
<button type='submit' name='install' class='btn btn-success'>Install Cloudflare</button>
</form>";
}
?>
<?php
if(isset($_POST['install']))
{
//Add Cloudflare module to Apache
$path_to_file = '/usr/local/apache/conf/httpd.conf';
$file_contents = file_get_contents($path_to_file);
$file_contents = str_replace("# LoadModule foo_module modules/mod_foo.so","# LoadModule foo_module modules/mod_foo.so \nLoadModule cloudflare_module /usr/lib64/httpd/modules/mod_cloudflare.so",$file_contents);
file_put_contents($path_to_file,$file_contents);
echo "<center><h4>Go to CWP Dashboard and Restart Apache!</h4></center><br><br>
<h5>Refreshing page in 5 seconds to verify Cloudflare was installed.....</h5>
<meta http-equiv='refresh' content='5' />";
}
if(isset($_POST['uninstall']))
{
//Remove Cloudflare module to Apache
$path_to_file = '/usr/local/apache/conf/httpd.conf';
$file_contents = file_get_contents($path_to_file);
$file_contents = str_replace("LoadModule cloudflare_module /usr/lib64/httpd/modules/mod_cloudflare.so","",$file_contents);
file_put_contents($path_to_file,$file_contents);
echo "<center><h4>Go to CWP Dashboard and Restart Apache!</h4></center><br><br>
<h5>Refreshing page in 3 seconds to verify Cloudflare was uninstalled.....</h5>
<meta http-equiv='refresh' content='3' />";
}
?>
11
New Modules / [module] Speedtest your server in 30 seconds
« on: January 06, 2016, 08:30:37 PM »
This quickly and effectly uses the speedtest.net servers to test your server's internet bandwidth connection. Check to see if you're really getting what your provider says you should get!
Features:
- Speed test your server within 30 seconds
- Uses the connection from speedtest.net
- NO buttons to click, auto runs on page and live updates to show the speed
- Detects and uses the server closest to your server's geolocation
Add this line to:
/usr/local/cwpsrv/htdocs/resources/admin/include/3rdparty.php
Then create a new file called "speedtest.php" on:
/usr/local/cwpsrv/htdocs/resources/admin/modules
with this content:
Then run this command from your Terminal/SSH Window (You can copy and paste this; Do the last empty line too )
Now just load the page Developer Menu -> Speedtest from the sidebar and you will begin the speed test.
Which will be /index.php?module=speedtest
Features:
- Speed test your server within 30 seconds
- Uses the connection from speedtest.net
- NO buttons to click, auto runs on page and live updates to show the speed
- Detects and uses the server closest to your server's geolocation
Latest Version: 1.1a
Add this line to:
/usr/local/cwpsrv/htdocs/resources/admin/include/3rdparty.php
Quote
<li><a href="index.php?module=speedtest"><span class="icon16 icomoon-icon-arrow-right-3"></span>Speed Test</a></li>
Then create a new file called "speedtest.php" on:
/usr/local/cwpsrv/htdocs/resources/admin/modules
with this content:
Quote
<center><h3>Speed test your server's internet connection</h3><h2>Verison 1.1a</h2><br>
Python file provided by Speedtest.net<br>
<button type="button" class="btn btn-warning" onclick='window.location.reload(true);'>Restart Test</button>
<a href="http://forum.centos-webpanel.com/new-modules/(module)-speedtest-your-server-in-30-seconds/" target="_blank"><button type="button" class="btn btn-primary">Check for Update</button></a><br><br></center>
<pre>
<?php
$command = "python /usr/local/cwpsrv/htdocs/resources/admin/modules/speedtest/speedtest.py 2>&1";
$pid = popen( $command,"r");
while( !feof( $pid ) )
{
echo fread($pid, 256);
flush();
ob_flush();
usleep(100000);
}
pclose($pid);
?>
</pre>
Then run this command from your Terminal/SSH Window (You can copy and paste this; Do the last empty line too )
Quote
mkdir /usr/local/cwpsrv/htdocs/resources/admin/modules/speedtest
cd /usr/local/cwpsrv/htdocs/resources/admin/modules/speedtest
wget -O speedtest.py https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
chmod 755 speedtest-cli.py
chmod +x speedtest-cli.py
echo Complete!
Now just load the page Developer Menu -> Speedtest from the sidebar and you will begin the speed test.
Which will be /index.php?module=speedtest
12
How to / How to Force a Backup (Run Daily backup command)
« on: February 04, 2015, 09:18:40 PM »
Simply run this command via SSH with Root.
If you get a error 7, you need to turn on DAILY BACKUP in your CWP (/index.php?module=backups) then try again.
/usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php
If you get a error 7, you need to turn on DAILY BACKUP in your CWP (/index.php?module=backups) then try again.
/usr/local/cwp/php54/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron_backup.php
13
E-Mail / Email "alias" root don't work
« on: February 04, 2015, 01:58:15 AM »
When you do the *** Put a * to forward all email
it doesn't catch any email.
I've tried and it just doesn't forward the emails at all.
I had to create a mailbox and login in order to see the emails being sent because it wouldn't forward all the emails for that domain to my gmail account.
I'm running a fresh install of 0.9.7.
One of my clients said that if you use a specific alias (like webmaster@example.com) it will work. But if you do *@example.com it doesn't work.
it doesn't catch any email.
I've tried and it just doesn't forward the emails at all.
I had to create a mailbox and login in order to see the emails being sent because it wouldn't forward all the emails for that domain to my gmail account.
I'm running a fresh install of 0.9.7.
One of my clients said that if you use a specific alias (like webmaster@example.com) it will work. But if you do *@example.com it doesn't work.
Pages: [1]