Jump to content

Security vulnerability

Netino
 Share

Recommended Posts

Netino Community Regular

Netino

Posted
Posted

How can I alert the development team to a very, very serious security flaw, where it is possible to execute arbitrary commands with root user permission?!

I tried to contact support, and they simply disregarded my message saying that I don't have a support "contract".
My server was compromised, and I have the URL to replay the attack.

Regards,

Netino

Link to comment
Share on other sites
Netino Community Regular

Netino

Posted
  • Author
Posted (edited)

Correction:

I had all of my 5 servers, geographycally in different locations(wow!), compromised, with a proof of concept.

Nothing anymore.

A php file was saved with root permissions. But if one file was saved, any file would be saved with root permissions.

And executed...!!!

(This is a large scale attack?!)

But my servers wasn't really attacked, because I discovered the problem on the day after.

I'm a experienced admin(first server in 1996), and could stop the attack, before the attacker come back.

But I afraid many people don't know this until now.

I have one solution: turn you cwpsrv server protected, or by IP restriction, or with nginx(cwpsrv) password ().

The reason cannot be revealed, up to CWP Team acknowledge the problem.

Create a file /usr/local/cwpsrv/conf/include/security.conf with the following content: 

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/ht_passwd;

Choose yours IP adresses, and/or define additional authentication on cwpsrv. (Will be authenticated 2 times)

Create a file /usr/local/cwpsrv/conf/htpasswd with your passwords: 

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

...and restart cwp on the panel, or with the command: 

# /scripts/restart_cwpsrv

 

Edited by Netino
Link to comment
Share on other sites
Netino Community Regular

Netino

Posted
  • Author
Posted

Yes, completely updated.

The file was saved within the cwpsrv area, with root user/group ownership.

I spent ten days trying configurations with OWASP/Comodo modsecurity, and then I decided to directly test a URL used in the attack, and unbelievably, it works to execute a "ls -alF" command on the server.
The only solution I found was to restrict access to the CWP admin panel by IP or authentication.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...