A weakness in the random data generation module included with cPanel has been identified. cPanel releases prior to 11.18.6 and 11.23.1 are susceptible to this security issue which is rated medium-critical.

Update Advisory
==============================
All STABLE and RELEASE users are strongly urged to update to their respective 11.18.6 release. CURRENT and EDGE users should update to the latest 11.23.1 release. No releases are deemed susceptible to remote or root access vulnerabilities.

Several potential security issues have been identified with cPanel software and Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and 11.22.2 are susceptible to security issues, which range in severity from trivial to medium-critical. Along with the discovery of these potential issues, cPanel has released a new security tool to provide users with protection from XSRF attacks.

Update Advisory
==============================
All STABLE and RELEASE users are strongly urged to update to their respective 11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3 release. No releases are deemed susceptible to severe, critical or root access vulnerabilities.

XSRF Protection
==============================
cPanel has also introduced a tool designed to protect against a category of attacks known as cross-site request forgery (XSRF). This tool will validate the browser referrer information against an approved list of domains.

The list of approved domains is automatically determined according to the system’s configuration. Any blocked requests are presented to the end user for approval. This additional step will minimize disruption of workflow while protecting the user from an outside XSRF attack. This check will not prevent bookmarked links in modern browsers from working normally.

XSRF protection is not enabled by default. It is controlled via WHM’s Tweak Settings under the Security heading. The protection may also be enabled manually by adding the following line to the end of /var/cpanel/cpanel.config:

referrersafety=1

and restarting cpsrvd by executing /usr/local/cpanel/startup.

Credits
================================
cPanel Security Auditing
Jeff Petersen ( Myriad Network )
Cassidy B. Larson ( InfoWest, Inc. )
Bugtraq ( http://www.securityfocus.com/archive/1/491230 )
Matteo Carli
Linux_Drox

———————

cPanel today published a revised schedule for their 2008 conference to be held in Houston, TX June 11th to the 13th. Topics this year will cover more advanced material then previous years. Such topics as server security, troubleshooting, and cPanel’s EasyApache 3 functionality will be addressed and explained in great depth. Also on tap are sessions addressing cPanel’s long awaited and much anticipated cPanel Server Suite for Microsoft Windows. The 2008 conference will cater to the needs of corporate decision makers, server owners, IT staff, and anyone who deploys cPanel. Attendees will also be able to meet representatives from exhibitors and vendors including, Microsoft, Cloudmark, Trustwave, The Planet, Soho Launch, Bobcares, and more.

“This will be our third year for the conference and this one promises to have more information and tips then previous years. We strongly recommend that anyone using cPanel as a server administrator, decision maker, or developer attend this conference.” Said J. Nick Koston, cPanel’s CEO. Further information regarding the conference, schedule, and exhibitors can be found at the conference website: http://conference.cpanel.net/

Greetings,
This week marks some great progress at cPanel and with that progress comes two new and exciting advancements: cPanel VPS Optimized and TailWatchd.

cPanel VPS Optimized
——————————-

cPanel VPS Optimized is a new version of cPanel / WHM specifically designed to run on Virtual Private Servers. cPanel VPS Optimized provides the feature rich functionality of cPanel / WHM while reducing memory usage by up to 60% on VPS instances.

cPanel VPS Optimized represents a great step forward for cPanel customers. The reduction in memory usage for each install allows web hosts the ability to host more domains per virtual machine. This increase enables hosts to provide a more efficient and eco-friendly server base with fewer physical machines.

The upgrade to cPanel VPS optimized will require no interaction. Once cPanel VPS Optimized has reached the build tree on your server, automatic updates ( or manual) will upgrade the current cPanel / WHM installation to a cPanel VPS Optimized installation. cPanel VPS Optimized is currently only in EDGE builds.

Information about cPanel VPS optimized can be found at: http://www.cpanel.net/products/cpvps/

TailWatchd
——————————

TailWatchd is a new concept in log processing from cPanel. Previously, three daemons were used to gather information from mail and bandwidth logs (antirelayd, eximstats and cpbandwd). These daemons have been deprecated and replaced with a more robust and more lightweight TailWatchd. The move to this new system will reduce load due to log processing and allows for a more robust interface with the daemon. This daemon with all three log processing drivers uses less memory than just eximstats!

Technical information about TailWatchd can be found at: http://www.cpanel.net/support/articles/tailwatchd.html

Other Updates
——————————–

Along with these two new advancements, modifications have been made to the cPanel / WHM product to reduce cpu and memory usage. We hope that you will find these advancements a positive step for your operations. There are many more great steps in the cPanel development path which will enhance your experiences with cPanel products.

To find out more about the future of cPanel products, learn about new features that have appeared recently, or gain more experience working with cPanel products, join us in Houston on June 11-13 at the cPanel Conference (http://conference.cpanel.net).

Thanks again for your continued support. We appreciate your use of cPanel products which allows us to remain an independent and highly dedicated Hosting Automation Solutions Provider.

SECURITY ADVISORY: Official Horde Update to 3.1.7 and upgrades to cPanel’s PHP application security model available in cPanel builds 11.18.3 and 11.19.3.

———————-

Summary:
The Horde webmail application framework has been updated to 3.1.7. Upgrades have been made in cPanel’s PHP application security model.

Description:
The Horde webmail application framework has been updated to 3.1.7 for the official fix to the previously announced arbitrary file inclusion vulnerability. cPanel has also made upgrades in cPanel’s PHP application security model for Horde, PHPMyAdmin, and PHPPGAdmin. These upgrades have been made to minimize or mitigate undiscovered vulnerabilities in these third-party applications while running within a cPanel installation.

Fix Details:
It is recommended that all cPanel servers running Horde be updated to either cPanel 11.18.3 or cPanel 11.19.3. If you do not wish to update cPanel, it is strongly recommended that you keep Horde disabled until these updates have been applied. You can disable horde on your cPanel system by unchecking WHM -> Server Configuration -> Tweak Settings -> Mail -> Horde Webmail, and saving with the new settings.

You can check your current version of cPanel by executing:
/usr/local/cpanel/cpanel -V

Updates can be run via the following command executed from a root shell:
/scripts/upcp

Updates can be run through WHM as well. Login to WHM, then select cPanel -> Upgrade
to Latest Version -> Click to Upgrade.

References:
http://lists.horde.org/archives/announce/2008/000382.html

Credits:
cPanel would also like to thank Jeff Petersen and Rob Brown for the additional security information provided with regards to this update.

Subject: SECURITY ALERT: Horde arbitrary file inclusion vulnerability

An arbitrary file inclusion vulnerability has been discovered in the Horde webmail application. At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time).

cPanel customers should update their cPanel and WHM servers immediately to prevent any chance of compromise. The patch will be available in builds 11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated builds will be available immediately to all fast update servers. The builds will be available to all other update servers within one hour of this posting.

To check which version of cPanel and WHM is on your server, simply log into WebHost Manager (WHM) and look in the top right corner, or execute the following command from the command line as root:

/usr/local/cpanel/cpanel -V

You can upgrade your server by navigating to ‘cPanel’ -> ‘Upgrade to Latest Version’ in WebHost Manager or by executing the following from the command line as root:

/scripts/upcp

It is recommended that all use of Horde 3.1.6 and earlier be stopped (on cPanel and non-cPanel systems alike) until Horde updates can be applied. You can disable Horde on your cPanel system by unchecking the box next to ‘Server Configuration’ -> ‘Tweak Settings’ -> ‘Mail’ -> ‘Horde Webmail’ within WHM, and saving the page with the new settings.

We would like to thank HostGator for providing the initial details in their report of this vulnerability.

For the third year running the cPanel will be holding its annual conference in Houston, Texas from June 11 to 13. This year’s conference promises to be more in depth, with more advanced topics then the previous years. There will be guest speakers, in addition to cPanel developers cPanel techs will be on hand to provide live, in person technical support. Also taking place will be a panel discussion with some cPanel’s developers and techs. With the upcoming release of cPanel Server Suite for Windows scheduled for spring, the conference will have several sessions geared towards the new product and how it will significantly enhance Windows based hosting operations.

Conference registration is once again very reasonable at $60.00 USD per attendee. Attendees will be able to meet vendors and producers of software plugins that work with cPanel as well as service providers that deploy cPanel. As the host of the conference, cPanel will be providing a cocktail reception with a top shelf open bar on the evening of the 11th as well as a sumptuous dinner for all attendees and vendors on the 12th. Lunch and breakfast will also be provided both days.

For more information, please visit the conference site located at http://conference.cpanel.net/

cPanel is pleased to announce their 2008 cPanel Conference! For the third consecutive year, cPanel will be holding its annual conference in Houston, Texas June 11, 2008 thru June 13, 2008. The conference this year promises to be more in depth, including more advanced topics than the previous years. There will be guest speakers in addition to cPanel Developers. Also taking place will be panel discussions with some of cPanel’s Developers and Technical Support Specialists.

**Further details and Conference site will be follow shortly.

cPanel announced today that it’s security team has identified several key components of a hack known as the Random JavaScript Toolkit. The systems affected by this hack appear to be Linux® based and are running a number of different hosting platforms. While this compromise is not believed to be specific to systems running cPanel® software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise.

The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have passwordbased authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize.

The actual root-kit has been the subject of much speculation. The cPanel security team asserts that the Boxer variant includes a small web-server which is how the Javascript is distributed to unsuspecting users of any website on the server. It is believed that the Javascript include is injected into the HTML code after Apache® has served the file but before it has traveled through the TCP transport back to the user of the website. The web-server is not loaded onto the hard drive directly but loaded directly into memory from the infected Boxer binaries. More information about the infected binaries can be found at: http://www.cpanel.net/security/notes/random_js_toolkit.html.
The JavaScript being loaded by this web-server is directing users to another server that scans the website user for a number of known vulnerabilities. These vulnerabilities are then used to add the website user to a bot net. More information about the JavaScript hacks can be found at:
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.
Cleaning the Random JavaScript Toolkit requires the server to be booted into single user mode and the removal of all infected binaries. More details on how to do this can be found at: http://www.cpanel.net/security/notes/random_js_toolkit.html. The cPanel security team believes that the hacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to
anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether.

This compromise has been in the media lately and discussions can be found at the following locations:
http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
http://it.slashdot.org/it/08/01/25/148244.shtml

We would like to thank everyone who tested cPanel Server Suite for their efforts and candid evaluations so far.

Based on the feedback received from our first round of beta testing, we have decided to make some major changes to select areas of cPanel Server Suite. While these changes will push back further beta testing, they will not change the overall supported architecture that is described on our site. We look forward to moving along with the changes and will notify the next beta group when the changes are available for testing.