In 2018, cPanel, with their longterm partner CloudLinux, began offering Imunify360 as a featured security product. With cPanel & WHM Version s82 or 84, we are integrating ImunifyAV into all cPanel & WHM servers. Imunify360 is a product set from our industry partner CloudLinux and will provide all customers with the most effective malware detection solution in the industry. We have spent years working extensively with the development teams at CloudLinux on a variety of …
Archive for security
One-third of the web!
WordPress now powers over 1/3rd of the top 10 million sites on the web according to W3Techs. Our market share has been growing steadily over the last few years, going from 29.9% just one year ago to 33.4% now. We are, of course, quite proud of these numbers! The path here has been very exciting. […]
cPanel & WHM Version 80 will not support MySQL 5.5, and updates to cPanel & WHM Version 80 will be blocked for any server still running MySQL 5.5. We are also blocking updates for any cPanel & WHM servers that connect to MySQL 5.5 servers running. The MySQL/MariaDB Upgrade interface inside WHM makes upgrading safe and easy. Why the block? On December 31st, 2018, MySQL version 5.5 entered End of Life status. Any server currently running MySQL …
As a part of an ongoing initiative to improve user experience in our product, in cPanel & WHM Version 78 we introduced cPanel Analytics. This functionality is intentionally built with ease of use and privacy in mind. It provides us with deeper insight into how our customers utilize cPanel, WHM, and Webmail without compromising the privacy of those users. We tested the feature directly with a few customers on cPanel & WHM Version 74, made some adjustments in …
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 through 3.9.3
- Exploit type: XSS
- Reported Date: 2019-February-25
- Fixed Date: 2019-March-12
- CVE Number: CVE-2019-9711
Description
The item_title layout in edit views lacks escaping, leading to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.2.0 through 3.9.3
- Exploit type: XSS
- Reported Date: 2019-March-04
- Fixed Date: 2019-March-12
- CVE Number: CVE-2019-9712
Description
The JSON handler in com_config lacks input validation, leading to XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: High
- Versions: 3.8.0 through 3.9.3
- Exploit type: XSS
- Reported Date: 2019-February-28
- Fixed Date: 2019-March-12
- CVE Number: CVE-2019-9713
Description
The sample data plugins lack ACL checks, allowing unauthorized access.
Affected Installs
Joomla! CMS versions 3.8.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 through 3.9.3
- Exploit type: XSS
- Reported Date: 2019-February-25
- Fixed Date: 2019-March-12
- CVE Number: CVE-2019-9714
Description
The media form field lacks escaping, leading to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
An extremely convincing phishing attack that impersonates a multi-game skin trade bot appears to be using a fake Extended Validation TLS certificate to steal Steam accounts. The ongoing phishing attack impersonates TradeIt.gg, which facilitates the trading of skins, weapons and other in-game commodities within popular games like CS:GO, TF2 and DOTA. When a victim attempts […]
WordPress 5.1.1 is now available! This security and maintenance release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2. This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously […]
Exim (Experimental Internal Mailer) is a mail transfer agent known for being a general and flexible mailer, with many tools for checking incoming email. Created in 1995 by Philip Hazel, an estimated 57% of publicly reachable mail servers on the internet use Exim. Using the Sendmail design model, Exim has defined stages where it gains or loses privileges on a server, to help increase the security of mail delivery overall. Many of the benefits that Exim provides …
One of the more popular methods of publishing content on a website is a CMS (Content Management System). A CMS generally has a graphic user interface where a user can log in, create or upload content, update existing content, design how they would want their website to appear, and other related tasks. The three most popular CMS choices by usage are WordPress, Joomla, and Drupal. A cursory glance at these three different pieces of software shows …
A new version of WordPress, significant security enhancements, important discussions, and much more – read on to find out what has been going on in the WordPress community for the month of February. Release of WordPress 5.1 Near the end of the month, WordPress 5.1 was released, featuring significant stability and performance enhancements as well […]
Strengthening connections with our users is a huge part of the work that we do on the Community Team here at cPanel, and conferences like JoomlaDay Florida are perfect for that. Even on years that it sells out (like this one), it’s only around 150 of our best friends with great chances to interact, and still intimate enough that we get a chance to really talk to some of the best folks there. I …
Let’s Talk MultiPHP
Many hosting providers have a large customer base with varying needs for their online projects. Available for systems running EasyApache 4, the MultiPHP Manager interface allows you to easily manage the PHP and PHP-FPM configurations of your cPanel accounts and domains. Hosting providers can switch between a number of different PHP versions with the click of a button, or allow more advanced users to upgrade to a newer version of PHP more quickly than others. There are …
If you’re not familiar with the Create Support Ticket interface, this tool lives inside WHM and allows a root user to create a support ticket with the cPanel Support staff. How is this more beneficial than logging in to Manage2 or using a form to submit a ticket? The Create Support Ticket tool streamlines and automates much of the process, including ensuring our support team will be able to access your server, decreasing the time it …
We’d like to introduce you to one of our newest features in cPanel & WHM version 78. The evolution of cPanel’s Email Authentication Interface to the Email Deliverability interface began with a desire to help users keep their legitimate emails out of Spam folders and turned into what we are showcasing here. These are some of the many improvements we’ve been making in an ongoing effort to help you increase your mail server’s efficiency. What is it? Previous to v78, …
WordPress 5.1 RC2
The second release candidate for WordPress 5.1 is now available! WordPress 5.1 will be released on Thursday, February 21, but we need your help to get there—if you haven’t tried 5.1 yet, now is the time! There are two ways to test the WordPress 5.1 release candidate: try the WordPress Beta Tester plugin (you’ll want […]
As of last week’s update, EasyApache 4 includes a light version of mod_lsapi, a module built and distributed by our friends at CloudLinux. This release is a scaled-back version of the module already distributed by CloudLinux. Anyone already using CloudLinux should use the one distributed by CloudLinux, but for everyone else let’s talk about it! What is mod_lsapi? mod_lsapi is an Apache module based on the LiteSpeed Technologies API that provides significant improvements in speed and …
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.9.2
- Exploit type: Object Injection
- Reported Date: 2019-January-18
- Fixed Date: 2019-February-12
- CVE Number: CVE-2019-7743
Description
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.9.2
Solution
Upgrade to version 3.9.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.9.2
- Exploit type: XSS
- Reported Date: 2018-October-07
- Fixed Date: 2019-February-12
- CVE Number: CVE-2019-7740
Description
Inadequate parameter handling in JS code could lead to an XSS attack vector.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.9.2
Solution
Upgrade to version 3.9.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.9.2
- Exploit type: XSS
- Reported Date: 2019-January-16
- Fixed Date: 2019-February-12
- CVE Number: CVE-2019-7741
Description
Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.9.2
Solution
Upgrade to version 3.9.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.9.2
- Exploit type: XSS
- Reported Date: 2019-January-17
- Fixed Date: 2019-February-12
- CVE Number: CVE-2019-7739
Description
“No Filtering” textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.9.2
Solution
Upgrade to version 3.9.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 1.0.0 through 3.9.2
- Exploit type: XSS
- Reported Date: 2018-September-24
- Fixed Date: 2019-February-12
- CVE Number: CVE-2019-7742
Description
A combination of specific webserver configurations, in connection with specific file types and browserside mime-type sniffing causes a XSS attack vector.
Affected Installs
Joomla! CMS versions 1.0.0 through 3.9.2
Solution
Upgrade to version 3.9.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.9.2
- Exploit type: XSS
- Reported Date: 2018-November-13
- Fixed Date: 2019-February-12
- CVE Number: CVE-2019-7744
Description
Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.9.2
Solution
Upgrade to version 3.9.3
Contact
The JSST at the Joomla! Security Centre.
The first release candidate for WordPress 5.1 is now available! This is an important milestone, as the release date for WordPress 5.1 draws near. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something was missed. WordPress 5.1 is scheduled […]
As you may or may not be aware, on January 19th, 2019, a security announcement was published confirming the compromise of the PHP Extension and Application Repository (PEAR) installation script. The PEAR project had the following statement to announce: “A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the …
The momentum from December’s WordPress 5.0 release was maintained through January with some big announcements and significant updates. Read on to find out what happened in the WordPress project last month. WordPress Leadership Grows In a milestone announcement this month, WordPress project lead, Matt Mullenweg (@matt), named two individuals who are coming on board to […]
WordPress is the most commonly used CMS (Content Management Software) on the internet, with a market share of 59.5% of websites built on the internet. There are numerous ways to get a WordPress blog up and running for the public to see. One of the more popular ways to publish a blog is WordPress’ official site- WordPress.com. This site offers the opportunities for its users to build and maintain a free WordPress blog. There are downsides to a …