Security vulnerability

Posted June 23Jun 23

How can I alert the development team to a very, very serious security flaw, where it is possible to execute arbitrary commands with root user permission?!

I tried to contact support, and they simply disregarded my message saying that I don't have a support "contract".
My server was compromised, and I have the URL to replay the attack.

Regards,

Netino

June 25Jun 25

Author

comment_1009

Correction:

I had all of my 5 servers, geographycally in different locations(wow!), compromised, with a proof of concept.

Nothing anymore.

A php file was saved with root permissions. But if one file was saved, any file would be saved with root permissions.

And executed...!!!

(This is a large scale attack?!)

But my servers wasn't really attacked, because I discovered the problem on the day after.

I'm a experienced admin(first server in 1996), and could stop the attack, before the attacker come back.

But I afraid many people don't know this until now.

I have one solution: turn you cwpsrv server protected, or by IP restriction, or with nginx(cwpsrv) password ().

The reason cannot be revealed, up to CWP Team acknowledge the problem.

Create a file /usr/local/cwpsrv/conf/include/security.conf with the following content:

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/ht_passwd;

Choose yours IP adresses, and/or define additional authentication on cwpsrv. (Will be authenticated 2 times)

Create a file /usr/local/cwpsrv/conf/htpasswd with your passwords:

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

...and restart cwp on the panel, or with the command:

# /scripts/restart_cwpsrv

Edited June 29Jun 29 by Netino

June 27Jun 27

comment_1013

the file is saved where

do your websites are updated?

June 28Jun 28

Author

comment_1014

Yes, completely updated.

The file was saved within the cwpsrv area, with root user/group ownership.

I spent ten days trying configurations with OWASP/Comodo modsecurity, and then I decided to directly test a URL used in the attack, and unbelievably, it works to execute a "ls -alF" command on the server.
The only solution I found was to restrict access to the CWP admin panel by IP or authentication.

June 30Jun 30

comment_1017

you need to report it to https://control-webpanel.com/contact

July 1Jul 1

Author

comment_1018

Ok, thanks.

I posted the problem there, but could not show the results of my screen to them, because the system seems to block the message.

But I could posted the URL attack.

Thanks!

Edited July 2Jul 2 by Netino

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign in

Already have an account? Sign in here.

https://www.alphagnu.com/topic/529-security-vulnerability/

Followers

Go to topic listing

Sign In

Security vulnerability

Featured Replies

Create an account or sign in to comment

Create an account

Sign in

Topics

Viable migration script for CWP server migration available?

FIx and install netdata In CWP Almalinux 8/9

CWP to CWP account transfer not working anymore

CWP Install Netdata from Control panel not working anymore

Diskusage, is it a bug?

Account

Navigation

Messages

Notifications

Search