Security vulnerability

Netino · June 23

How can I alert the development team to a very, very serious security flaw, where it is possible to execute arbitrary commands with root user permission?!

I tried to contact support, and they simply disregarded my message saying that I don't have a support "contract".
My server was compromised, and I have the URL to replay the attack.

Regards,

Netino

Netino · June 25

Correction:

I had all of my 5 servers, geographycally in different locations(wow!), compromised, with a proof of concept.

Nothing anymore.

A php file was saved with root permissions. But if one file was saved, any file would be saved with root permissions.

And executed...!!!

(This is a large scale attack?!)

But my servers wasn't really attacked, because I discovered the problem on the day after.

I'm a experienced admin(first server in 1996), and could stop the attack, before the attacker come back.

But I afraid many people don't know this until now.

I have one solution: turn you cwpsrv server protected, or by IP restriction, or with nginx(cwpsrv) password ().

The reason cannot be revealed, up to CWP Team acknowledge the problem.

Create a file /usr/local/cwpsrv/conf/include/security.conf with the following content:

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/ht_passwd;

Choose yours IP adresses, and/or define additional authentication on cwpsrv. (Will be authenticated 2 times)

Create a file /usr/local/cwpsrv/conf/htpasswd with your passwords:

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

...and restart cwp on the panel, or with the command:

# /scripts/restart_cwpsrv

Edited June 29 by Netino

Sandeep B. · June 27

hi

the file is saved where

do your websites are updated?

Netino · June 28

Yes, completely updated.

The file was saved within the cwpsrv area, with root user/group ownership.

I spent ten days trying configurations with OWASP/Comodo modsecurity, and then I decided to directly test a URL used in the attack, and unbelievably, it works to execute a "ls -alF" command on the server.
The only solution I found was to restrict access to the CWP admin panel by IP or authentication.

Sandeep B. · June 30

you need to report it to https://control-webpanel.com/contact

Netino · July 1

Ok, thanks.

I posted the problem there, but could not show the results of my screen to them, because the system seems to block the message.

But I could posted the URL attack.

Thanks!

Edited July 2 by Netino

Sign In

Security vulnerability

Recommended Posts

Netino

Link to comment

Share on other sites

Netino

Link to comment

Share on other sites

Sandeep B.

Link to comment

Share on other sites

Netino

Link to comment

Share on other sites

Sandeep B.

Link to comment

Share on other sites

Netino

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Forum Activity

Two domains pointing to the same server

roundcube time problem

CWP Apache MPM Event Problem

postfix Can't rebuild Mail server the normal way with the buttons.

Install cwp in almalinux 9

Browse

Activity