Recent Posts
1
CentOS 7 Problems / Re: Clamav database update blocked by CDN
« Last post by Painkiller88 on Today at 02:54:54 PM »ELevate is not a recommended upgrade path; you will likely introduce issues into the new system (Sandeep [a CWP dev] advises against it). Better to bring up a new AlmaLinux 8 system and use the CWP Migration module to transfer accounts. That's the route I chose and so I have a fresh system with very little cruft moved over from the old system. Fresh 'n shiny!
https://www.alphagnu.com/topic/578-does-it-possible-to-migrating-from-centos7-to-almalinux9-same-server-without-installing-to-new-server/
Ok thanks, i will have a look into it.
2
PostgreSQL / Re: Error starting postgres
« Last post by overseer on Today at 01:43:28 PM »Code: [Select]
systemctl is-masked postgresql.service
systemctl unmask postgresql.service
systemctl start postgresql.service
systemctl enable postgresql.service3
PostgreSQL / Error starting postgres
« Last post by gilliard on Today at 01:38:25 PM »I have an error starting postgres 16, alma linux 8
Failed to start postgresql.service: Unit postgresql.service is masked.
Failed to start postgresql.service: Unit postgresql.service is masked.
4
Information / Re: Is CWP still maintained?
« Last post by djprmf on Today at 01:32:24 PM »The RCE with CWP wasn't fixed? And by who?
Or now CWP doesn't uses PHP anymore? By your logic then.... this isn't fixable, since is a "PHP Thing"... so....
Or now CWP doesn't uses PHP anymore? By your logic then.... this isn't fixable, since is a "PHP Thing"... so....
5
Information / Re: Is CWP still maintained?
« Last post by Starburst on Today at 01:28:05 PM »Then, by your logic, we should blame the creators of the binary... because they created this digital thing.
Or we should blame the creators of guns... not who use them and for what...
You don't really see how your logic makes no sense?
I'm placing blame where is belongs - with PHP...
Quote
The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
So are all the CVE's of this PHP vulnerability.
Servers that where correctly secured where not affected.
6
Information / Re: Is CWP still maintained?
« Last post by djprmf on Today at 01:26:13 PM »Then, by your logic, we should blame the creators of the binary... because they created this digital thing.
Or we should blame the creators of guns... not who use them and for what...
You don't really see how your logic makes no sense?
Or we should blame the creators of guns... not who use them and for what...
You don't really see how your logic makes no sense?
7
Information / Re: Is CWP still maintained?
« Last post by Starburst on Today at 01:26:03 PM »Here is the fix to apply to your php.ini
The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
This is also blocked by ModSecurity and the OWASP CRS ruleset when correctly configured.
The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation.
Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
This is also blocked by ModSecurity and the OWASP CRS ruleset when correctly configured.
8
Information / Re: Is CWP still maintained?
« Last post by Starburst on Today at 01:17:44 PM »Yes, they are responsible for the software they create, but they DID NOT CREATE PHP...
And that's where this vulnerability is located.
You are blaming CWP in your posts
You need to goto the PHP forums and blame them, as they are the ones who a responsible for the software they created.
Tell me where in the below it mentions CWP, or even cPanel, aaPanel, etc...
--
SUBJECT:
Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
And that's where this vulnerability is located.
You are blaming CWP in your posts
Quote
THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!for something they had NO control over. And hence it wasn't a CWP bug to even 'disclose' or responsible for.
You need to goto the PHP forums and blame them, as they are the ones who a responsible for the software they created.
Tell me where in the below it mentions CWP, or even cPanel, aaPanel, etc...
--
SUBJECT:
Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
9
Information / Re: Is CWP still maintained?
« Last post by djprmf on Today at 01:06:12 PM »dude, no one is blaming CWP for the RCE... that is a PHP thing, exist since PHP exist...
What you don't understand that is NOT *the* vulnerability, but the LACK OF INFORMATION to acknowledge the vulnerability from the CWP side?
CWP had a vulnerability. THAT IS FINE.... if they fix it and disclosure it.
They fix it. Great!
But the disclosure? NO!
Every single one of the panels that you state HAVE disclosure the vulnerability in they software. Because - and again, becase you apparently cannot understand this - THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!
CWP did not disclosure that. They prefer hide it under a "update", that you don't even know what is. Or do you have a changelog for the versions lauch?
What you don't understand that is NOT *the* vulnerability, but the LACK OF INFORMATION to acknowledge the vulnerability from the CWP side?
CWP had a vulnerability. THAT IS FINE.... if they fix it and disclosure it.
They fix it. Great!
But the disclosure? NO!
Every single one of the panels that you state HAVE disclosure the vulnerability in they software. Because - and again, becase you apparently cannot understand this - THEY ARE RESPONSIBLE FOR THE SOFTWARE THAT THEY CREATED!
CWP did not disclosure that. They prefer hide it under a "update", that you don't even know what is. Or do you have a changelog for the versions lauch?
10
Information / Re: Is CWP still maintained?
« Last post by Starburst on Today at 01:00:50 PM »Here is the CVE, and even advised has to secure against it, dated 2024-09-27...
https://www.wiz.io/blog/critical-rce-php-cgi-vulnerability
But @cyberpscae is correct.
https://www.wiz.io/blog/critical-rce-php-cgi-vulnerability
But @cyberpscae is correct.
