Jump to content

Featured Replies

Posted
comment_1008

How can I alert the development team to a very, very serious security flaw, where it is possible to execute arbitrary commands with root user permission?!

I tried to contact support, and they simply disregarded my message saying that I don't have a support "contract".
My server was compromised, and I have the URL to replay the attack.

Regards,

Netino

  • Author
comment_1009

Correction:

I had all of my 5 servers, geographycally in different locations(wow!), compromised, with a proof of concept.

Nothing anymore.

A php file was saved with root permissions. But if one file was saved, any file would be saved with root permissions.

And executed...!!!

(This is a large scale attack?!)

But my servers wasn't really attacked, because I discovered the problem on the day after.

I'm a experienced admin(first server in 1996), and could stop the attack, before the attacker come back.

But I afraid many people don't know this until now.

I have one solution: turn you cwpsrv server protected, or by IP restriction, or with nginx(cwpsrv) password ().

The reason cannot be revealed, up to CWP Team acknowledge the problem.

Create a file /usr/local/cwpsrv/conf/include/security.conf with the following content:

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/ht_passwd;

Choose yours IP adresses, and/or define additional authentication on cwpsrv. (Will be authenticated 2 times)

Create a file /usr/local/cwpsrv/conf/htpasswd with your passwords:

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

...and restart cwp on the panel, or with the command:

# /scripts/restart_cwpsrv

 

Edited by Netino

  • Author
comment_1014

Yes, completely updated.

The file was saved within the cwpsrv area, with root user/group ownership.

I spent ten days trying configurations with OWASP/Comodo modsecurity, and then I decided to directly test a URL used in the attack, and unbelievably, it works to execute a "ls -alF" command on the server.
The only solution I found was to restrict access to the CWP admin panel by IP or authentication.

  • Author
comment_1018

Ok, thanks.

I posted the problem there, but could not show the results of my screen to them, because the system seems to block the message.

But I could posted the URL attack.

Thanks!

Edited by Netino

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now