Articles

› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid reuse multi vendor issue
› Finding the WordPress 2.1.1 Backdoor
› Server Logs
› Shared Hosting Security
› Kloxo / VAServ Timeline


Bugs

› AtMail (3)
› BFD (1)
› cPanel (48)
› CSF (17)
› DirectAdmin (3/43)
› Installatron (9)
› Kloxo (25)
› R1Soft CDP (1)
› Softaculous (2)
› WHMEZLogin (1)
› WHMReseller (6)

Total: 165 (6 private, 43 undisclosed)


Scripts

› pps monitor


Misc

› About
› Contact
› RSS
› Home
› Twitter
06/03/2010

"I do not believe you. I also believe you are here to spread FUD in order to sell your services." - random DirectAdmin forum user, on the subject of past security issues in DirectAdmin.

Of course you don't believe me. The vendor never credited any of my other disclosures to them, and they hid the fact that they patched a local root. Version 1.323 fixed the local root (DA BUG #2) and the majordomo issue (DA BUG #3). Neither of those are mentioned here. How about the uid counter for new users feature, or the mention of mounting /home as nosuid due to the uid and gid reuse issues in their Basic system security article? No credit given whatsoever.


ca17c1985435aee163190d1ab8b99cb0  BUG #46
8adceace35e666e6894508ef1033cc3f  BUG #45
e0f7ffaee15c0706130dd21fd05e4296  BUG #44
9584bfcf13c5cc0c20e5ee9faf4cf58e  BUG #43
403e60e4a0a340dd1c086a010f116ff8  BUG #42
8679d0802b9802bf709c27a1adb93c9f  BUG #41
06/02/2010

Updated DirectAdmin BUG #3, which is rootable.

05/28/2010

"It also has the advantage of being relatively simple and is well designed, so vulnerabilities are difficult to find" - random DirectAdmin forum user, on the subject of DirectAdmin.

Simply put: I disagree.



0a6fc1d5cb34a96d979e8eb75691a218  BUG #40
f17cb2b7b2af6b3ca3bad915fbf36723  BUG #39
924f94ab8e11e0f2eb16d669c50ddf0f  BUG #38
43096de3a1a8e580c3e9118676814de9  BUG #37
661654591a2de9722dfe23dcb500fc98  BUG #36
85c5502441f79aaada34c55017049d86  BUG #35
8aded622bb17da2025473d76c85b47bc  BUG #34
92c88dea3312010427ff91fbe930e282  BUG #33
80f57e1d0e1d6d5bc9af098b1f9f42ab  BUG #32
4c20e82d9c49b16b128fae4fe4537273  BUG #31
088e2936b15aa5ff0fa8972f23c0778d  BUG #30
2b6699124ab757cb177912b7c5d29b30  BUG #29
596b1a9696a96d75b0e9a14393f38660  BUG #28
0a6e2df92815b14c992213f100d278af  BUG #27
3db7b660ab69cc153853e1843d9bad79  BUG #26
675757dcc1c4d585aa74e884e818f2db  BUG #25
01d87e51e8ee6925343cd46bb8e8c220  BUG #24
f4585435e3e2f8f98aaefd69f6bd6aef  BUG #23
3c0f2bde6eff75118c8b9d22fa0f3bef  BUG #22
952b812cfba527aa6fca3f62911fe582  BUG #21
160fa63f570d6f4b17afe4ad61c0978a  BUG #20
ed42da4872dfe5fe9ba4b0b3aad0b6b6  BUG #19
1dc994c75875f0a278a40286bca609ea  BUG #18
3258f9ade0bd06087ab8a99150f4037c  BUG #17
13b81264ba2197960392617badcbdfff  BUG #16
c0cafc864267271d5b30499ade3ec4da  BUG #15
af660416ab687cdd89d17f2f8924661f  BUG #14
95fe77b7956b1da94869ef86cf5ba007  BUG #13
9127a5d7b1afbb5428d102918897ab7d  BUG #12
9c560d4b799cdcbef2527b2f7704e24b  BUG #11
45497d07ef51006c30d6b4d6dad3ff05  BUG #10
0beca71b0a35c89b5b7cd422a34f8cdf  BUG #09
da9e807b5df25c51a52930edfca25051  BUG #08
abef79c149c6a03bb4d41c16e9261024  BUG #07
583199c48dac91941cd5be8b063a1e6a  BUG #06
99d75261dc767734c5fb9dba96cf183a  BUG #05
fd7193c0f48abcb5dc6e9a47669b634d  BUG #04
05/08/2010

BFD 1.4: Important Security Fix

Temporary Installatron vulnerability mitigation update: /usr/local/installatron/repair -f --edge

05/07/2010

I have it on good faith from an anonymous individual that RVSiteBuilder is rootable. I don't have access to a box with that software to verify, but I do know of bugs in other software this person has previously found and disclosed. This individual says they've cotacted RVGlobalSoft about this issue previously, and was told that the fix would be available in March. You'll note the date of this message, and apparently there is (still) no fix. All credit goes to this person for their find, and their responsible disclosure. I was contacted directly to help get some exposure on the bug.

04/25/2010

Short list of server management companies on WHT that install remotely rootable software: Twitter.com/WebHostSecurity

Per the usual, WHT sides with scammers (such as Erik F. Zeiner, Michael Tyler, and the rest of the Myriad Network criminals) and removed my post. Why doesn't WHT want people to know who the scammers and thieves are?

When this particular vendor releases their next update, you will see who the fraudulent "security experts" are on WHT, and why you may want to ask for a refund from your server management company.

Nothing bad to say about the developer of this free software. Everyone makes mistakes, and I'm certainly no exception.

10/10/2009

Added the packets per second monitoring script.

09/24/2009

The site is up.

WebHostSecurity.com © 2009 - 2010