Cpanel seciruty issues.

Portal Home > Knowledgebase > Articles Database > Cpanel seciruty issues.

Posted by 31special, 03-26-2008, 10:23 AM
How secure is Cpanel? What's its recent history in regards to security ? thanks in advanced.
Posted by larwilliams, 03-26-2008, 12:38 PM
I don't recall any reports of security issues recently. Anyone?
Posted by Tim Greer, 03-26-2008, 01:49 PM
It's not the best coded software out there (I wouldn't be shocked to see some reported at any time), but it doesn't have a lot of security issues lately. One recent one I can think of, was a Horde security issue, but it was Horde. The problem wasn't as dire as reported, but it was serious (I won't get into details). The reason why I mention that as a recent issue, is because Cpanel runs the web mail scripts as a privileged user in it's API. That is what created the "serious" aspect of the problem. I personally feel that scripts such as that shouldn't ever be ran as a privileged user, so even if it's not technically their product being insecure, it is in my view. People are free to disagree, but that's what happens when you run programs as a privileged user that weren't designed to be (even if it's believed it was designed to be ran in that fashion). So, I blame both, just as I would if someone put a MSA Formmail script in a control panel and ran it as a privileged user.
Posted by utropicmedia-karl, 03-26-2008, 02:15 PM
cPanel has the largest install-base of any control panel out there. It's going on 10 years old and has been beat to hell over the past decade. That being said, I've spent many hours digging though their code getting clusters set up and their architecture sucks. It does, however, do what it does better than the rest. Kind Regards,
Posted by Tim Greer, 03-26-2008, 02:32 PM
I've seen the code code, I've worked on modules, existing Cpanel code, created my own modules, extensions, etc., both inside and outside of their API, worked off the base with my own API's and have worked in their base wrapper's code (which was scary how it was coded (I complained, no one listened and it ended up being the source of a root zero-day exploit a few years down the road -- big surprise!)), and am familiar with the design of it and how it's been a lot of guess work and cobbled together code, so I'm understandably completely paranoid and untrusting of it. However, I know what and how to work around a lot of problems with it, so we do use it at this time. It's in demand enough to and we can manage to get it to be fairly safer than stock. However, honestly, it's all about the aspect of time. As we have time, we will be developing our own product (in house) to replace it. At first with our own top end, providing us with complete control on the first two levels, so we can safely do checks and ensure proper function and passing of values for better security on the existing feature(s), but that will eventually be replaced completely -- as we have the time. We'd prefer a better product to use "in the meantime", but even we feel it's standard and good enough to use for now (provided we add extra measures to ensure the best security and stability (and remove some bugs)).
Posted by LoganNZ, 03-26-2008, 06:41 PM
Very secure, well coded. However its a big control panel, it cannot be totally secure, of courses it going to get targeted.... The most widely used control panel for hosting 10/10 for me, i use it all the time.
Posted by Tim Greer, 03-26-2008, 06:56 PM
Just because something is more popular, doesn't mean it isn't a result of poor coding and security that makes it vulnerable. Cpanel is, in fact, poorly coded and is far from being very secure. I understand people have different opinions about what is secure or not, but it shouldn't be whatsoever based upon opinion. The design and structure, logic and code are not secure and its long history of security issues has proven this to be a fact. Many of them were unacceptable and were a result of the creator's lack of understanding. I'm not trying to argue or debate about it, but security can't possibly be based upon an opinion or one's personal view. Finally, just because it offers a lot of features doesn't mean it's automatically going to be not totally secure. Being targeted due to popularity and the types of holes it has had, are utterly unrelated.
Posted by domainworldaccess, 03-26-2008, 11:31 PM
The problem with cPanel in general lies between the back of the chair and the keyboard, IMHO. The allure of cPanel has been much like the allure of Windows - the illusion of knowledge based on sucseffully navigating a GUI. It's like driving a car at 140 on a US freeway. Getting away with it the first time instills a sense of invincibility. Reality eventually meets us all, and then we have to truly learn that with which we work, or pay those who have that understanding. The WHM GUI will let you completely set up a server destined to get rooted, or it will allow you to well harden your system, provided you know what to do outside of WHM also. It is _a_ tool in a system, not _the_ tool. Of course it has at times been cobbled together. So has Linux and the internet. What is the point in pointing out the inevitable? To answer the OP question, my experience is that cPanel is the most updated piece of commercial software that I know of. There are _always_ bad people looking to setal things from good people, including servers and related services. There is no edge device that I know of that is invincible. What you want, since the threat is ever present, is a very tried application, and an extremely responsive and knowledgeable team behind the solution to mitigate quickly whatever next comes down the pipes. Both of those things exist in cPanel. Just my $.02 Good luck, Joe
Posted by Tim Greer, 03-26-2008, 11:44 PM
You can often blame the problem with the administrator(s) for their opinions and experiences, and it's sometimes accurate. However, sometimes, that blame is wholly misplaced. The OP asked about the security of Cpanel, they did not ask if it would replace a need for an admin or actual skills and knowledge. Cpanel is the topic and that was what the replies were in regard to. Perhaps you don't agree or believe what people say, or don't like what you see, but that does not make your generalized assumption correct about the problem being the person rather than the tool. Again, to be fair, it often is, but I feel as if that was somewhat in response to me (if not, you can disregard this reply). Some tools have flaws and aren't designed well, even if it has 500 ways to use it. You seem to give the impression that the problem with Cpanel is the user and I've specifically said Cpanel has problems, and thus to prevent being thought of as statements made out of inaccuracy or incompetence, I would like to state the following; Search for my name and Cpanel on google, where you will see articles showing where I've discovered dozens of root level exploits in Cpanel over the years. Yes, the tool itself, believe it or not, does have issues, as this subject is about. I assume that will clarify my stance and provide sound logic for my post. I doubt as many people have experience with Cpanel like I do, having found these flaws, having created patches, having created extension modules with and without the API and working on their underlying code and wrappers. I don't mean any of this in an arrogant way or to mean I'm always right, but I did feel compelled to point this out when you replied saying that in your humble opinion, it's the pretty much generally the operator and not the product. In this case, it is the product, though yes, some people do blame the "tool" when they lack understanding or experience. I've just realized this might have come off as harsh or defensive, but I didn't mean it that way. I don't have time to re-edit (I'm out the door as I type this). Anyway, I do agree that it's often the case, but this is far from a perfect and secure product, as I've noted above. Last edited by Tim Greer; 03-26-2008 at 11:47 PM.
Posted by domainworldaccess, 03-27-2008, 12:25 AM
Tim, I'm not interested in a fight. You would obviously win. There are dozens of "which control panel" threads from which to choose, so I will just apologize to you for the apparent insult, and to the OP for voicing an opinion rather than stating the requested facts...
Posted by Tim Greer, 03-27-2008, 02:14 AM
Wow, your wording has me confused. I certainly wasn't looking for a fight either, and you're welcome to your opinion. I wasn't upset that you didn't agree with me, and I said that re-reading my reply, it might sound defensive, but I wasn't intending for it to. It's utterly not a big deal or issue, I just wanted to clarify (I wasn't even sure if you directed your reply at me or in response to mine anyway, which is what I had meant to clarify, too). I apologize if that was interpreted wrong.
Posted by jpetersen, 03-27-2008, 02:25 AM
I searched, and all I was able to come up with were the bugs from Sep 2006, and the recent Horde issue. I'm sincerely interested in knowing about the bugs you discovered in the past. The reason is that I've spent countless hours auditing cPanel myself, and sometimes you learn new things about old issues. When you say you've "discovered dozens of root level exploits", are you including things which require interaction from the user logged in (such as XSS in WHM), or are you referring to bugs where anyone that has access to a cPanel box (authenticated or otherwise) can simply execute code and be dropped to a root shell (or execute commands as root, or write files as root, etc)? I don't think I've missed many public cPanel vulnerabilities, but if there are dozens of roots that are public knowledge, I've definitely overlooked something. It's very difficult to find others that share the same enthusiasm in finding security issues in one specific product such as cPanel, and anyway most folks don't even tend to look at the code running on their boxes, no matter what the product. Something else you said has also piqued my curiosity: The problems that you refer to and the statement about making it fairly safer than stock - these make it sound like (to me) there are security issues that you are aware of that haven't been addressed. Is that correct, or am I off base? I would really love to take a conversation about cPanel with you offline if you would be kind enough to do so. The reason for going offline is fairly obvious: I'd rather not disclose any potentially damaging information to folks with bad intentions. If you're on the fence about discussing any issues with me offline, I'll just say that I've also played a helpful role in the hosting industry (stretching beyond cPanel), and any cPanel boxes you use have had their security greatly enhanced over the years by my efforts as well. You can verify this with Nick Koston directly if you'd like. Your contributions, time, and efforts surpass mine by far I'm sure, and regardless of what you might or might not be willing to discuss, I am very appreciative of the contributions you've made, and hopefully will continue to make where needed. If you wouldn't mind sending me a PM, perhaps we could exchange email addresses and pick each others' brains as time permits.
Posted by Tim Greer, 03-27-2008, 02:40 AM
I haven't talked to John (Nick) in a while and we're not great friends, pretty much because I've never held back about being honest and vocal about the issues I have with the control panel. A lot of the issues I've mentioned have been resolved over time. Some haven't been handled well, but most have been patches well enough to remedy the issues that did exist (there are just other methods to exploit the same hole, but I gave up trying to deal with them and they make enough money, I got tired of contributing fixes and doing their job in that regard, so I didn't go on about it with them). One of the more recent exploits I spoke of wasn't the Horde issue, but one from last year: http://news.netcraft.com/archives/20...mass_hack.html http://www.hostsearch.com/news/hostg..._news_5001.asp http://hostingfu.com/article/cpanel-...loited-in-wild So, it wasn't about the Horde issue, that was just most recent (with in the last couple of weeks), but they weren't entirely to blame (but I'm unhappy with how they've implemented it which opened the potential for a more serious exploit). I'm not out to talk smack about it though, I was just stating a point. We'll (a new company I'm involved in starting) be using Cpanel for a while at first, because of the issues that have been resolved, but we will be replacing the top end to be more secure. I can explain that as well as a list of the exploits I speak of to you in private. If you PM me we can schedule a time to talk on the phone, or chat on AIM or just over email.
Posted by jpetersen, 03-27-2008, 03:37 AM
I understand what it's like to be very vocal about something you feel strongly about. In a past life at another place I worked (non hosting industry related, but still related to security) I dealt with the same thing. Not just me, but a few of us who were able to see and explain issues very clearly that ultimately would not be addressed. Granted, that can happen in any line of work, and sometimes persistence doesn't always pay off. My experience with reporting issues to cPanel has, thankfully, been very different. Major issues - and even lesser problems - have been acknowledged and addressed with amazing speed. I'm not trying to downplay your experience, but just wanted to share my own. I do find it disheartening that there are possibly still issues as you mentioned which have not been fully addressed. I wouldn't know the reason for this of course, and it's entirely possible that I would agree with cPanel with why particular issues might still persist. I would be more than happy to approach cPanel with any information you'd be willing to discuss. I understand not wanting to continue to bang your head against the wall when you feel progress isn't being made. It gets old after a while, I'm sure. I have a fairly good repertoire with cPanel (as far as I know anyway :-) and would be fully willing to approach them about anything I know without disclosing details to anyone else, giving full credit where credit is due. I really hate to think that there might possibly be unresolved issues that could potentially be abused by "hackers", spammers, and the like, and would be happy to bang my own head against the wall for a while if it happens to come to that. I was around for that one, and didn't get much sleep from spending most of my time upgrading boxes, reading the threads that were posted here about it here, reading the cPanel forums, and checking every other possible source of information I could find about it. I even had to call an "editor" at some web hosting news related website that erroneously stated that we also fell victim to that attack. I'll refrain from posting his name and the website's name here, but I do remember that time very vividly and have been focusing on learning more about cPanel ever since. The newer model they have in place will hopefully keep those types of issues minimized. I fully understand what you mean about how the applications were implemented, and how a bug in one of those apps could be (and ultimately was) used to attack cPanel. Within a few hours of hearing about it, I went bug hunting in Horde and found a separate issue that could also be used to attack cPanel. This was addressed after they released the followup updates (the updates that were released a day or 2 after the fix for the initial issue) that they were already planning to release anyway. I kicked myself for not finding it much sooner, but also discovered a few new approaches for bug hunting at the same time. It was actually a very fun learning exercise - finding the bug, figuring out how to abuse it, coding the POC. Sounds good. I'll PM you with my email address. If the pace is too slow we can hit up IM or the phone. Email is easiest for me as it gives me time to put together things in a very clear and concise manner, and if I get interrupted with something, I can always go back to it later. Thanks for your time, I'm sure we both have information that can benefit each other.
Posted by Tim Greer, 03-27-2008, 01:55 PM
To be clear, I wasn't suggesting they ignore people's reports or treat everyone the same way. I think the issue with John and I happened rather by mistake. I was hired on by a company to do admin and programming back in '99 or 2000 and after a week they said they had hired a programmer to create a control panel interface for them and he encrypted the code. They said they needed the source code. So, I spent a couple of minutes looking at it and reversed the program to its source code. They ended up asking for a way to automate signups for their servers if the merchant order went through, so I created a script to work with it and the backend scripts (wwwacct), but they ended up never paying me and after a while, so while all of this was happening, I came to find that the script I decoded was Cpanel's main backend. I had just spent the day before saying how much the code sucked (it was so terrible), and I think that upset John. Oh well, I just saw a lot of re-used, cobbled together code from different free scripts (free scripts that weren't very good) and were made to run as root and daemonized. So, counting the hundreds of problems over the next 8 years or so, and the major screw ups it was causing to people using it (tens of thousands of servers I was administrating running this program), it was getting progressively on my nerves. When I saw people say it's great, stable, secure and that "nothing is perfect", I become more annoyed. After all, there were a ton of problems that were inexcusable. But, I'm not getting into all of that, but it is why even recently I can say it's certainly not secure. John really needs to hire someone that knows what they are doing to completely redesign and recode the entire product, and that's what it honestly comes down to. He has the money from license fees to do that, and has for a few years now. I don't know what they are waiting for. However, if people are willing to tolerate such problems and shrug them off, then why waste any time and money when people are happy with the results now, especially making the money he does? I expect nothing to change. I won't post more on this thread again, because I've offered the insight and opinion and facts I know, and people will already think what they think anyway. I don't want to drag it out, I mean. It's not the end of the world to use it, it's just far from "very secure".
Posted by jpetersen, 03-27-2008, 03:01 PM
Hi Tim, The bottom line is really this: You state that there are security issues in cPanel which have patches that can be bypassed. You feel pretty strongly that cPanel is not secure. You have a greater level of insight into the software than most folks probably do, therefore your statements probably carry some weight. Given those statements and your lack of desire to continue beating your head against the wall regarding getting things fixed (which I do understand), I was hoping we could work together to improve the very software all of us use. There would likely be little to no gratification, except from ourselves. It would take time out of both of our schedules. It might even be tedious and boring. If it means a safer environment for me and my customers, (and, as a result, every single server using cPanel), I can live with that. You have my email address, which I sent via PM earlier this morning. If you want to get in touch over the next few days, weeks, whenever you have some free time, I'll be around. edit: got your PM, which I think you sent right as I was typing this up. I will reply shortly. Last edited by jpetersen; 03-27-2008 at 03:06 PM.
Posted by Tim Greer, 03-27-2008, 03:05 PM
Yeah, I PMed you back earlier. We'll talk, I just didn't want to stay involved in this certain thread, since I have nothing more to add. We'll talk soon. Cheers!
Posted by Iwannasite, 03-27-2008, 05:12 PM
Actually, the bottom line is that a lot of companies have made a lot of money hosting with cPanel on their servers. If that's your goal then by all means use it. If your goal is absolute security, don't use use it... or any other control panel for that matter.
Posted by jpetersen, 03-27-2008, 06:11 PM
Are you saying people can't have concurrent goals - the continued goal of running a successful, profitable webhosting business while also having another continued goal of providing a more secure environment? They are not mutually exclusive, and don't have an end. You take either of them as far as you want. I don't think anyone would be upset about having a little (or a lot) more of both. It's not about completely eliminating cPanel, or any specific piece of software. It's about proactively understanding weaknesses that are inherent with any system and raising awareness of those issues in an effort to minimize the impact in the event that something "bad" happens. It's also a lot of fun :-)
Posted by whmcsguru, 03-27-2008, 07:22 PM
Let's TRY to get things back on topic shall we? Is CPanel secure? Cpanel is secure enough. That's not saying it doesn't ever need updating, or that it doesn't have flaws, or that it doesn't even get hacked from time to time. It's CPanel, it's as secure as it can be while doing what it does on a daily basis. Now, let's take a few things apart here: Firstly, remember, CPANEL isn't just CPanel. It's products from hundreds of other vendors. It takes those, rolls them into one application platform and says "here, use this". Many of the insecurities in cpanel don't come from CPanel itself, but from outside vendors. For example, a few months (or was it weeks) back, there was something to do with Horde. this wasn't specifically related to CPanel, but to horde itself. As soon as this was discovered, it was reported, and resolved. Does CPanel ignore reports from vendors, or users? Absolutely not. They handle their own releases, bugs, and exploits as quickly and effectively as can be expected with a rollout of 10s of thousands of servers. That nightmare, I really wouldn't want on me. In the end, security isn't just about one piece of software, it's a state of mind. If you don't know how you properly admin your servers, you're screwed, end of statement. CPanel isn't there to do that, it's there to make the END USER'S life easier (not necessarily the admin's). You still need years of experience in administration before you think about taking something like a webhosting business on. Again, is CPanel secure? It's secure enough to use, yes, however you must know what you're doing with the system in order to use it and secure the server properly.
Posted by Tim Greer, 03-27-2008, 08:13 PM
Yes, that was the topic. If it was going to open a large hole from simply installing/running it, then we'd not use it in the interim, so it's not so dire. I just didn't agree it was very secure. It's good enough and I have been pretty non vocal about its issues, because I'm not involved with them. I figure that if I'm unhappy, I'll create my own alternative (and that's the plan), but I do feel it's good enough for now (i.e., not an immediate danger/threat). I don't think the topic was ever supposed to be about what it does or does not handle, and no doubt that you need experienced staff to properly admin, configure and secure a server, which is a never ending job. Cpanel just does basic things and configs and isn't meant to be an "install and you're done as long as you keep it updated". So, it's good enough.
Posted by Metallian, 03-27-2008, 09:20 PM
Agree with you