WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


CSF 2.67 - LF_HTACCESS insecure regexp


DESCRIPTION

See issue 04 above for a complete explanation of this issue. The regexp for this issue looks similar to the following:


 634     if ( $log_line =~ /\[client (.*)\] user .*: authentication failure/ ) {
 635         return ( 'Unsuccessful http auth login from', $1, 'htpasswd' );
 636     }


IMPACT

Remote, unauthenticated command execution as root. LF_HTACCESS is disabled by default.

This bug was not reported because it was not discovered until after it had been fixed. I believe this bug was fixed in the release that followed 2.76 as a result of reporting issue #08 (remotely block any IP address, pure-ftpd regexp).


WebhostSecurity.com © 2009 - 2020