CPanel's Black Week: 3 New Vulnerabilities Patched After Attack on 44k Servers(www.copahost.com)

89 pointsby ggallas5 hours ago7 comments

zuzululu4 hours ago
Ages ago I used php-nuke to manage my forum and it got hacked and I thought it would get taken seriously
Seeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain
- dainiusse4 hours ago
  I don't agree that "old" necessarily implies vulnerability.
  - tclancyan hour ago
    As a coder who just hit 50, trust me, it does.
  - pixl974 hours ago
    I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.
    omnimus4 hours ago
    These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.
    They cannot be that bad if they are managing to be ductape of the internet.
    Meekro3 hours ago
    I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.
    On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
    diek5 minutes ago
    CVE-2021-21703 [0] is a similar class of bug in the PHP interpreter itself that was pretty recent
    https://www.sentinelone.com/vulnerability-database/cve-2021-...
    ggallasan hour ago
    [dead]
    dylan6042 hours ago
    Every time I venture in the the web server's error log, I see all of the skiddie's attempts at accessing the most common things with most of them being .php files. Lots of /wp/admin.php and /phpadmin/ type requests. Of course, none of those are available which is why the requests are in the error log. I've never paid attention, but I wonder how long (as in how little time) for a new server to come online before it starts to get probed by a skiddie. Whether they are just war dialing IPs or paying attention to new domain announcements but I'd put it on a few hours tops.
    hamburglaran hour ago
    Dismissing these as script kiddie attempts is no longer correct. This is a real industry now. It’s not like the large scale actors are going to pass up a valid unpatched vector just because it’s old hat.
    dylan604an hour ago
    yes, but how often otherwise would i get to use the word skiddie?
    rstupek14 minutes ago
    If you get a letsencrypt certificate it will get probed within a minute
    hvb24 hours ago
    > They cannot be that bad if they are managing to be ductape of the internet.
    I think there are just a whole lot of tools written for them. So non devs can spin things up and click some things together.
    Is that safe and secure? Maybe, if the devs did their work well. But I'm positive no one reads the docs on how to configure something securely.
    I think the real reason is that it's very cheap to host, and always has been
    ChocolateGod4 hours ago
    cPanel is Perl.
    robocat2 hours ago
    Yes. Perl for core backend logic, automation, legacy systems, APIs. Some other languages used for bits and pieces.
    https://api.docs.cpanel.net/guides/guide-to-perl
    anamexis4 hours ago
    How does that follow?
    cinntaile3 hours ago
    They have a big target on their back so the low hanging fruit is (mostly) gone.
- TZubiri4 hours ago
  The concept of a GUI wrapper on top of the Linux ecosystem is what's broken.
  Not because of a fundamental limitation of that architecture, but because in practice the type of people that will use it do not want to learn or develop the necessary skills to administer it, and critical information like man pages and parameter lists are hidden.
  You can't take shortcuts without consequences.
  - majicDave2 hours ago
    > The concept of a GUI wrapper on top of the Linux ecosystem is what's broken
    That is a nugget, it's so true.
    Wrappers in general are such an issue in software. Wrappers built on top of wrappers, this desire to abstract everything away makes things look simpler, but every layer slows things down and hides what is actually happening. Every wrapper is another layer of complexity, another hoop to jump through when you're looking for a solution to a problem.
  - ricardonunez3 hours ago
    Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM/Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?
    walrus012 hours ago
    I would worry less about big shared hosting providers, who have a strong interest in patching their stuff quickly, than the market of people who get one or two dedicated servers or KVM VMs and then install cpanel on them and for the rest of the time they use it, ignore the CLI of the servers and never patch anything. There's a lot of small users of cpanel that have just a few licenses.
  - walrus013 hours ago
    Remember 'webmin'?
    As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.
    https://cockpit-project.org/
    esseph14 minutes ago
    Also comes default on Red Hat Enterprise Linux, Rocky Linux , AlmaLinux, Oracle Linux, and SUSE.
    Also walrus from old, old UBNT forum? If so, hello :)
anonzzzies5 hours ago
CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.
- rurbanan hour ago
  But those are updated automatically. It's unlike Windows or Linux, where the user decides when to update. cPanel updates are decided by cPanel
- breakingcups4 hours ago
  Such a different era.
  - omnimus4 hours ago
    If you look at the usage numbers, you could argue we are still in that era.
  - addedGone4 hours ago
    I miss this era, we overcomplicated everything
- ggallasan hour ago
  [dead]
josu29 minutes ago
So CPanel's security is just as bad as their UI, who would have thought?
eagerpace3 hours ago
Wow, similar sentiments about this being a throw back. I’d rather roll my own almost everything these days, may not be as good, but certainly won’t be targeted exploited broadly.
- hackthemack2 hours ago
  Many years ago. Maybe 2005 to 2015? I had a friend who used cpanel to run a web hosting company. He made quite a bit of money doing that. He was not a programmer, but he could setup up wordpress and install plugins. I remember asking him once if he was worried he would get hacked and then lose control of his servers? Lose his customers?
  He said he was worried but he had backups upon backups. I saw him restore a bunch of websites once, using cpanel, and I thought it is an amazing little bit of software with all of the click a button to setup many different things (like WAF). A real time saver and provides some guidance if you are not a unix-internet guru.
operatingthetan5 hours ago
People are still using cpanel?
- kiritanpo5 hours ago
  Most shared hosting plans use cpanel. It's still widely used yes for a lot of smaller websites.
  - dawnerd4 hours ago
    And even if it doesn’t look like it chances are it still is with a fancier ui on top.
  - ilia-a4 hours ago
    I wonder how much shared hosting is there really left, I imagine much of it move to VPS or cheap cloud boxes.
    omnimus4 hours ago
    I highly doubt that. It's giant market and with these custom small sites made by third parties you actually want to have client owned hosting and third parties who deploy to that hosting. Clients have learned to separate these otherwise the third party can have huge leverage (your business and all data is ours).
    walrus013 hours ago
    There's still a very big market of people for whom being given a VPS with ssh access and a command line is beyond their technical capability or comfort level.
    Ever seen the upsell offers in the check-out workflow for hosting packages that come when you buy a new .com domain from any major registrar? All those are shared hosting packages where everything is done through some sort of web gui.
- xp845 hours ago
  There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.
  - TZubiri4 hours ago
    The ROI has just increased by like 10x or 100x this week.
- ramesh314 hours ago
  CPanel on shared hosting running WordPress PHP is literally half of the entire internet still.
  - whatsupdog4 hours ago
    Half of the entire internet is Meta properties.
    fmbb4 hours ago
    That’s the other half.
    Coincidentally also PHP.
    Shish2k3 hours ago
    Facebook started out PHP; but they ship-of-theseus'ed it into Hack by replacing the standard library, the language, and the runtime engine, so now it's a totally different thing with only a few superficial similarities (FWIW IMO Hack is much better than PHP, I'm sad that it never gained traction...)
    ceejayoz3 hours ago
    Much of what was good in Hack just got rolled into PHP.
  - walrus013 hours ago
    And if it's not cpanel, it's Plesk
- throwawayteaan hour ago
  I run an entire saas that 36 companies pay for, built in PHP, and I drag and drop the files to the server via cpanel.
zb32 hours ago
"AI safeguards" are not working I guess.. or maybe they're only working against those who'd like to secure their software.. good job Anthropic + OpenAI!
rickdg2 hours ago
Friendly reminder that there aren't that many ways for a normie to create their own (sub)domain with TLS and an email in under five minutes. That's cPanel for ya.
- sgammonan hour ago
  Yes, there are many ways to do that now, in under 5 minutes. Cloudflare will set all of that up just fine. GSuite is much easier to set up than CPanel.
- walrus012 hours ago
  The alternatives to cpanel would mostly be all-in-one hosting providers like 'squarespace' or similar, which have rolled their own web GUI to automate a basic normie workflow of domain registration, putting basic DNS records in a zone, hosting the DNS, getting TLS certs, putting basic content on a httpd. It's interesting to see the "set up your small business website now!" advertising to totally non technical people.