Recent Posts
31
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
« Last post by kandalf on July 08, 2025, 04:39:44 PM »It is indeed a filemanager issue. I have tested found the vulnerability by testing against my own CWP server (which is up fully up to date, and runs AlmaLinux 8 ).
You can effectively convince the filemanager to perform any operation without being correctly authenticated as any user (so long you know or can guess their username).
Luckily, this does not work against the "root" user, only valid CWP users, so it does not allow for total system compromise.
As for why it makes non-.php files run as code? Possibly a malicious ".htaccess" file or similar could be uploaded to changes the handler directives, or another vulnerability (which I did not discover) allows reconfiguring the webserver.
I tried reporting the issue (privately) using the contact form and have been informed I need a support subscription, and have responded that I will not pay for reporting security issues. If I get another negative response, I might have to put the information into the bug tracker so the engineers actually can see it, but I would really rather avoid sharing any information in public to not cause this to be exploited even more widely than it already seems to be.
The easiest sign of a compromise (or attempt) through this bug are POST calls to "/USERNAME/index.php?module=filemanager&..." with a 302 response code in your logs, especially with non-browser user-agents.
I am also not sure what the discussion of "execution" here is, PHP does not care if a file is chmod 644 or 755 or anything else, so long as it can read the file, it can (and will) run the file when accessed via a browser through the webserver.
There might well be more security issues present in CWP, given the one I found was not too difficult to discover, that allow actually running arbitrary commands or things of that nature, but checking is hard as all of CWP is encoded with ionCube, and therefor I have to try random things to see what happens, I can't just read the code.
I will look for more issues in the filemanager code myself as well, just for completeness sake.
And again, if anyone knows of a way to (privately) report this to CWP without telling potential "bad guys" the exact exploit path, please tell me.
If anyone needs verification of this bug, feel free to create me a test user on a CWP installation of your choice and I can upload a (harmless!) file using the exploit.
Its completely unacceptable that no one from the CWP team has replied to us. This issue was identified as early as June 22nd and was supposedly fixed, yet it continues to occur.
32
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
« Last post by Doridian on July 08, 2025, 04:30:03 PM »It is indeed a filemanager issue. I have tested found the vulnerability by testing against my own CWP server (which is up fully up to date, and runs AlmaLinux 8 ).
You can effectively convince the filemanager to perform any operation without being correctly authenticated as any user (so long you know or can guess their username).
Luckily, this does not work against the "root" user, only valid CWP users, so it does not allow for total system compromise.
As for why it makes non-.php files run as code? Possibly a malicious ".htaccess" file or similar could be uploaded to changes the handler directives, or another vulnerability (which I did not discover) allows reconfiguring the webserver.
I tried reporting the issue (privately) using the contact form and have been informed I need a support subscription, and have responded that I will not pay for reporting security issues. If I get another negative response, I might have to put the information into the bug tracker so the engineers actually can see it, but I would really rather avoid sharing any information in public to not cause this to be exploited even more widely than it already seems to be.
The easiest sign of a compromise (or attempt) through this bug are POST calls to "/USERNAME/index.php?module=filemanager&..." with a 302 response code in your logs, especially with non-browser user-agents.
I am also not sure what the discussion of "execution" here is, PHP does not care if a file is chmod 644 or 755 or anything else, so long as it can read the file, it can (and will) run the file when accessed via a browser through the webserver.
There might well be more security issues present in CWP, given the one I found was not too difficult to discover, that allow actually running arbitrary commands or things of that nature, but checking is hard as all of CWP is encoded with ionCube, and therefor I have to try random things to see what happens, I can't just read the code.
I will look for more issues in the filemanager code myself as well, just for completeness sake.
And again, if anyone knows of a way to (privately) report this to CWP without telling potential "bad guys" the exact exploit path, please tell me.
If anyone needs verification of this bug, feel free to create me a test user on a CWP installation of your choice and I can upload a (harmless!) file using the exploit.
You can effectively convince the filemanager to perform any operation without being correctly authenticated as any user (so long you know or can guess their username).
Luckily, this does not work against the "root" user, only valid CWP users, so it does not allow for total system compromise.
As for why it makes non-.php files run as code? Possibly a malicious ".htaccess" file or similar could be uploaded to changes the handler directives, or another vulnerability (which I did not discover) allows reconfiguring the webserver.
I tried reporting the issue (privately) using the contact form and have been informed I need a support subscription, and have responded that I will not pay for reporting security issues. If I get another negative response, I might have to put the information into the bug tracker so the engineers actually can see it, but I would really rather avoid sharing any information in public to not cause this to be exploited even more widely than it already seems to be.
The easiest sign of a compromise (or attempt) through this bug are POST calls to "/USERNAME/index.php?module=filemanager&..." with a 302 response code in your logs, especially with non-browser user-agents.
I am also not sure what the discussion of "execution" here is, PHP does not care if a file is chmod 644 or 755 or anything else, so long as it can read the file, it can (and will) run the file when accessed via a browser through the webserver.
There might well be more security issues present in CWP, given the one I found was not too difficult to discover, that allow actually running arbitrary commands or things of that nature, but checking is hard as all of CWP is encoded with ionCube, and therefor I have to try random things to see what happens, I can't just read the code.
I will look for more issues in the filemanager code myself as well, just for completeness sake.
And again, if anyone knows of a way to (privately) report this to CWP without telling potential "bad guys" the exact exploit path, please tell me.
If anyone needs verification of this bug, feel free to create me a test user on a CWP installation of your choice and I can upload a (harmless!) file using the exploit.
33
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
« Last post by kandalf on July 08, 2025, 03:03:33 PM »So according to the 2 vulnerability reports you mentioned, it's limited to EOL CentOS 7 systems -- for which support ended over a year ago. Not too surprising, really. The longer those systems are on the internet, the more of sitting ducks they become. Time to migrate to AlmaLinux!
Can you confirm that you both are running CentOS 7 systems?
Caught one probe for this vuln on one of my Alma systems, coming from Hong Kong:Code: [Select][root@alma]# grep "module=filemanager" /usr/local/cwpsrv/logs/access_log
91.124.30.69 - - [08/Jul/2025:04:50:00 -0500] "POST /myuser/index.php?module=filemanager&acc=changePerm HTTP/1.1" 404 147 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:134.0) Gecko/20100101 Firefox/134.0"
No is not, this is a panel issue (Im in version 0.9.8.1206), I use AlmaLinux 8 not CentOS 7. This is is a Filemanager issue, is better to remove the filemananger for now.
34
Installation / Re: I don't receive a single message from root..??
« Last post by overseer on July 08, 2025, 02:50:57 PM »Code: [Select]
mydestination = $myhostnameis most canonical, then you only have to change it once at the top of the file if the hostname needs to change. But for any of the main directives (mydestination, smtp_helo_hostname, smtpd_sasl_local_domain), you can hardcode the hostname if you want. Just get rid of CWP's buggy double equals on a line (interpreted as setting a string, then a variable). 35
Backup / Re: Can't locate diagnostics.pm in @INC (you may need to install th....
« Last post by overseer on July 08, 2025, 02:45:42 PM »See Starburst's post here to see his prerequisites on AL9 before installing CWP:
https://forum.centos-webpanel.com/csf-firewall/possible-fix-to-why-csflfd-isn-t-installing/msg51087/#msg51087
https://forum.centos-webpanel.com/csf-firewall/possible-fix-to-why-csflfd-isn-t-installing/msg51087/#msg51087
36
CentOS-WebPanel Bugs / Re: [CRITICAL] Multiple CWP Servers Infected Arbitrary PHP Code Execution via Publ
« Last post by overseer on July 08, 2025, 02:25:06 PM »So according to the 2 vulnerability reports you mentioned, it's limited to EOL CentOS 7 systems -- for which support ended over a year ago. Not too surprising, really. The longer those systems are on the internet, the more of sitting ducks they become. Time to migrate to AlmaLinux!
Can you confirm that you both are running CentOS 7 systems?
Caught one probe for this vuln on one of my Alma systems, coming from Hong Kong:
Can you confirm that you both are running CentOS 7 systems?
Caught one probe for this vuln on one of my Alma systems, coming from Hong Kong:
Code: [Select]
[root@alma]# grep "module=filemanager" /usr/local/cwpsrv/logs/access_log
91.124.30.69 - - [08/Jul/2025:04:50:00 -0500] "POST /myuser/index.php?module=filemanager&acc=changePerm HTTP/1.1" 404 147 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:134.0) Gecko/20100101 Firefox/134.0"37
Backup / Re: Can't locate diagnostics.pm in @INC (you may need to install th....
« Last post by venty on July 08, 2025, 02:21:52 PM »How did you install perl? Base install of AlmaLinux 9, then CWP installer? Anything custom installed as pre-requisites (as Starburst recommends on an AL9 system)?
Hi,
I just installed base AL 9, then CWP, and from Starburst I used this, if it's relevant:
UPDATE DEPENDENCIES
Code: [Select]
dnf install php-cli libsodium libsodium-devel php-sodium php-pecl-zip php-pecl-mailparse php-mbstring php-pear php-devel php-pecl-imagick
Code: [Select]
pecl channel-update pecl.php.net
I also upgraded to MariaDB 10.11.13, and I use the rules OWASP CRS v4.16.0...
BR
Venty
38
Installation / Re: I don't receive a single message from root..??
« Last post by venty on July 08, 2025, 02:12:36 PM »Hi,
Ok, lastly, for this topic, the following remains as a summary:
1.In main.cf under #network settings, replace:
"mydestination = $myhostname = name.hostname.com'
with "mydestination = srv1.domain.net"
?
2. To the main.cf file, add:
UNDER (# rules restrictions):
smtp_helo_name = $myhostname
?
BR
Venty
Ok, lastly, for this topic, the following remains as a summary:
1.In main.cf under #network settings, replace:
"mydestination = $myhostname = name.hostname.com'
with "mydestination = srv1.domain.net"
?2. To the main.cf file, add:
UNDER (# rules restrictions):
smtp_helo_name = $myhostname
?BR
Venty
39
Backup / Re: Can't locate diagnostics.pm in @INC (you may need to install th....
« Last post by overseer on July 08, 2025, 02:01:02 PM »How did you install perl? Base install of AlmaLinux 9, then CWP installer? Anything custom installed as pre-requisites (as Starburst recommends on an AL9 system)?
40
Backup / Re: Can't locate diagnostics.pm in @INC (you may need to install th....
« Last post by venty on July 08, 2025, 01:55:31 PM »Is your server defaulted to perl 5.26 or 5.32?Code: [Select]dnf module list perl
...............
Hi,
When I run the command, it gives me the following error:
https://prnt.sc/RxSm1X3zWcQC
but at the same time:
https://prnt.sc/yO7_MIfjtjiw
What should I do?
BR
Venty
