Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Starburst

Pages: 1 2 [3] 4 5 ... 119
31
CVE ID: CVE-2026-40519
Published: June 8, 2026
Description: Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
Severity: 7.7 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-40519

32
I think the only way to find the version of mod_http2 is to check the log of the webserver:
/usr/local/apache/logs/error_log

Code: [Select]
grep 'mod_http2' /usr/local/apache/logs/error_log

You da man @cyberspace...

Shows the version for both mod_http2 and nghttp2  :)

33
Would be useful either way to find out what mod_http2 the system is running.

34
Apache / 7 new CVE's for Apache. 2.4.68 Just Released
« on: June 08, 2026, 05:16:06 PM »
CISA Just release 7 new CVE's for Apache, that affect up to version 2.4.67

The Apache Foundation just release 2.4.68 that take care of the vulnerabilities.

Update guides, if needed can be found at:

HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-68-in-cwp-on-almalinux-8-9/

Non HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-68-in-cwp-on-almalinux-8-9/

35
Yea, it shows the Apache version.

But I was looking for a way to see the mod_http2 version.
Currently at 2.0.42

https://github.com/icing/mod_h2

36
So:
Code: [Select]
grep ' h2 ' /usr/local/apache/conf* -RShows if you are running HTTP/2 or not.

And
Code: [Select]
/usr/local/apache/bin/apachectl -vShows you the Apache version.

@overseer @cyberspace
Is there a command I'm missing to show the mod_http2 version?

37
CSF Firewall / FYI - OWASP CRS Ruleset v4.27.0
« on: June 03, 2026, 06:38:13 PM »
Just a quick FYI, if you are using the OWASP CRS ruleset with CSF, they released 4.27.0 on Monday (2026-06-01)

Also I try and keep any OWASP CRS security notifications at:
https://sysadmin.help/viewforum.php?f=43&sid=0fe95c9ec0fc6690ab773d6d681daed5

38
https://cybersecuritynews.com/http-2-bomb-remote-dos-exploit/

If you are running Apache <2.4.67 or Nginx <1.29.7, Please update ASAP.

39
Other / Re: Using a domain name instead of an IP address...
« on: May 28, 2026, 12:49:58 PM »
If the domain name is pointed to the base IP, then all you have to do is create an account, and select the shared IP under User Accounts.

You can force the SSL creation by going under Webserver Settings -> SSL Certificates.

Then you should be able to access https://sitename.com:2083

Note 2030 & 2031 are admin only ports.
But will respond to your IP or your hostname.

You can generate a SSL for your hostname, if it is pointing to the base IP by:
Server Settings -> Server Settings -> Change Hostname

(Not sure why they have it named that, but it's where the hostname SSL is created.)

40
There is a CVE for WHMCS that have supposedly fixed that.

CVE-2026-29204:
https://nvd.nist.gov/vuln/detail/cve-2026-29204

WHMCS Fix/Upgrade:
https://help.whmcs.com/m/125386/l/20739 ... 05-12-2026

41
Nginx / CVE-2026-9256 - NGINX ngx_http_rewrite_module vulnerability
« on: May 22, 2026, 07:07:23 PM »
CVE ID: CVE-2026-9256
Published: May 22, 2026
Description: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more...

https://cvefeed.io/vuln/detail/CVE-2026-9256

42
PHP / Re: Server is down simply after php switcher
« on: May 21, 2026, 02:04:43 AM »
Please advise the following:

What distro are you running CWP on?

What PHP version are you trying to compile with PHP Switcher?

CWP Free or CWPpro?

What 'errors' and/or 'messages' are being displayed in the logs?


43
Nginx / CVE-2026-8711 - NGINX JavaScript vulnerability
« on: May 19, 2026, 06:13:48 PM »
CVE ID: CVE-2026-8711
Published: May 19, 2026, 3:16 p.m.
Description: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more...

https://cvefeed.io/vuln/detail/CVE-2026-8711

I also try to keep updated CVE's pertaining to CWP at: https://sysadmin.help/viewforum.php?f=51

44
Migration from other control panels / Re: Migration to...
« on: May 17, 2026, 09:56:54 AM »
Looks like another HestiaCP (which is free, no matter the amount of domains) with a different theme.

Have to agree that CWP doesn't officially have PHP 8.4 & 8.5, but there are guides on alphagnu.com that show you how to add that support.

But the main problem of PHP is they dropped some modules in 8.4, and they now have to be loaded via PECL.

Quote
it's like pulling teeth to update mariabd

If you have the MariaDB.repo file setup, MariaDB updates simply with just dnf update.
Speaking of which, 10.11.17-1 just hit.

But if you like that panel, and like Debian, check out HestiaCP. https://hestiacp.com

There is also CyberPanel that supports AlmaLinux 10 and PHP 8.5.
The current CSF 15.10 also fully works with it.

45
This CVE does NOT include/involve CWP, only the direct Nginx package.

⚠️ A heap-based buffer overflow in nginx’s ngx_http_rewrite_module, disclosed as CVE-2026-42945 and nicknamed NGINX Rift, allows an unauthenticated attacker to crash a worker process, or potentially achieve remote code execution on hosts with ASLR disabled, by sending a single crafted HTTP request.

If you operate an internet-facing nginx instance, especially one with non-trivial rewrite rules in front of a PHP or application backend, this matters.

AlmaLinux's core team has built patched nginx packages, which are available in their testing repository.
After the community has helped verify them, AlmaLinux will release them to the production repositories.

Pages: 1 2 [3] 4 5 ... 119