Archive for security

1004 results.

Problem with Recent EasyApache Update

Apr04
by Ike on April 4, 2018 at 5:21 pm
Posted In: Apache, CMS, Community, cPanel, Events, Products, Releases, security, System

Last night, we pushed an update to EasyApache4 wherein after the update was installed Apache service may fail to restart properly. Upon checking the Apache error log, you may see error messaging similar to the following: Server xxxxxxx.com Primary IP Address xxxxxxxxxx Service Name httpd Service Status failed Notification The service “httpd” appears to be down. Service Check Method The system failed to connect to this service’s TCP/IP port. Reason Service check failed to complete …

└ Tags:
 Comment 

WordPress 4.9.5 Security and Maintenance Release

Apr03
by Ike on April 3, 2018 at 7:56 pm
Posted In: 4.9, Backups, CMS, PHP, Releases, security, Wordpress

WordPress 4.9.5 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented […]

└ Tags: ,

How and Why to Build an EDGE Server

Apr03
by Ike on April 3, 2018 at 4:00 pm
Posted In: Apache, CMS, Community, cPanel, edge-tier, Events, how to test cpanel, Products, Releases, security, System, testing cPanel server, Tips & Tricks, update cpanel

* This post was originally posted on September 27, 2016, and has been updated for accuracy.  The Tiered Release System The tiered release system was introduced early in the development of cPanel & WHM. We knew it would be important to appeal to all types of users, from the risk-taking early adopters to the stability-seeking delayers. Each tier represents a different risk vs reward ratio, and today we’re here to talk …

└ Tags: , , , , ,
 Comment 

The Month in WordPress: March 2018

Apr02
by Ike on April 2, 2018 at 8:00 am
Posted In: Backups, CMS, Month in WordPress, PHP, Releases, security, Wordpress

With a significant new milestone and some great improvements to WordPress as a platform, this month has been an important one for the project. Read on to find out more about what happened during the month of March. WordPress Now Powers 30% of the Internet Over the last 15 years, the popularity and usage of […]

└ Tags:

Training Your Employees in cPanel & WHM: Best Practices

Mar27
by Ike on March 27, 2018 at 4:00 pm
Posted In: Apache, CMS, Community, cPanel, cPanel University, cPeople, Events, Releases, security, System, training

  There are multiple factors that contribute to your hosting company’s success. One undeniable factor that separates good hosting providers from great hosting providers is the level of technical support they provide their customers. Providing customers with easy, fast solutions when they need it is the best way to increase loyalty, retention, as well as promote evangelism for your business. We want to make sure your technical support staff is at …

└ Tags: , ,
 Comment 

Conferences, cPanel, and CloudFest 2018

Mar20
by Ike on March 20, 2018 at 7:36 pm
Posted In: Apache, cloudfest, CMS, Community, cPanel, cPConf, cpconference, cPeople, Events, Releases, security, System

Last week was the annual CloudFest conference (previously WHD.global) in Rust, Germany. cPanel, Inc. was a Diamond Sponsor, and we showed up in force! Twenty-seven eager cPanel employees from four departments came along. We all got to meet with existing and potential customers and to pass out some pretty handy gloves. Celebrate the Cloud! Most of us in the technology industry have a love/hate relationship with …

└ Tags: , , ,
 Comment 

[20180301] – Core – SQLi vulnerability User Notes

Mar13
by Ike on March 13, 2018 at 1:45 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.5.0 through 3.8.5
  • Exploit type: SQLi
  • Reported Date: 2018-March-08
  • Fixed Date: 2018-March-12
  • CVE Number: CVE-2018-8045

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view

Affected Installs

Joomla! CMS versions 3.5.0 through 3.8.5

Solution

Upgrade to version 3.8.6

Contact

The JSST at the Joomla! Security Centre.

Reported By: Entropy Moe

└ Tags:
 Comment 

General Data Protection Regulation and cPanel

Mar06
by Ike on March 6, 2018 at 6:30 pm
Posted In: Apache, CMS, Community, cPanel, cPeople, Events, Partners & Customers, Releases, security, System

As the internet evolves — so do the policies that govern the way we store and share information. One of the latest policies to come into effect is the General Data Protection Regulation. This policy, also known as GDPR, comes out of the European Union and its goal is to protect certain types of personal information.  We began preparing just over a year ago for this regulation, which comes …

└ Tags: ,
 Comment 

The Month in WordPress: February 2018

Mar01
by Ike on March 1, 2018 at 8:41 am
Posted In: Backups, CMS, Month in WordPress, PHP, Releases, security, Wordpress

Judging by the flurry of activity across the WordPress project throughout February, it looks like everyone is really getting into the swing of things for 2018. There have been a lot of interesting new developments, so read on to see what the community has been up to for the past month. WordPress 4.9.3 & 4.9.4 […]

└ Tags:

cPHulk is Now Even Stronger

Feb27
by Ike on February 27, 2018 at 6:30 pm
Posted In: Apache, CMS, Community, cPanel, Events, Products, Releases, security, System

Security is a huge priority for the cPanel team. Not only do we make sure we are providing everything we can to keep our customers protected, but we also provide ways for our customers to keep their clients’ information safe as well. One of our most prized features for both web, email, and server security is cPHulk. This feature, which provides great protection against brute force attacks, has been a part of our security suite …

└ Tags:
 Comment 

Where’s the SDK?

Feb22
by Ike on February 22, 2018 at 5:00 pm
Posted In: Apache, CMS, Community, cPanel, cpanel developers, documentation, Events, Products, Releases, SDK, security, System

When we originally launched the cPanel & WHM documentation, we also included a Software Developer Kit (SDK). Our goal was to build it into an actual kit of tools and help that would support and enable our integrators. Unfortunately, as the documentation evolved and the documentation team took on more responsibility,  the actual ‘kit’ was never created. That’s created a ton of confusion that we’re hoping to alleviate today. Announcing: Developer …

└ Tags: , , ,
 Comment 

WordCamp Incubator 2.0

Feb21
by Ike on February 21, 2018 at 10:53 pm
Posted In: Backups, CMS, Community, Events, PHP, Releases, security, WordCamp, Wordpress

WordCamps are informal, community-organized events that are put together by a team of local WordPress users who have a passion for growing their communities. They are born out of active WordPress meetup groups that meet regularly and are able to host an annual WordCamp event. This has worked very well in many communities, with over […]

└ Tags: , ,

WordPress 4.9.4 Maintenance Release

Feb06
by Ike on February 6, 2018 at 4:17 pm
Posted In: 4.9, Backups, CMS, PHP, Releases, security, Wordpress

WordPress 4.9.4 is now available. This maintenance release fixes a severe bug in 4.9.3, which will cause sites that support automatic background updates to fail to update automatically, and will require action from you (or your host) for it to be updated to 4.9.4. Four years ago with WordPress 3.7 “Basie”, we added the ability […]

└ Tags: ,

WordPress 4.9.3 Maintenance Release

Feb05
by Ike on February 5, 2018 at 7:47 pm
Posted In: Backups, CMS, PHP, Releases, security, Wordpress

WordPress 4.9.3 is now available. This maintenance release fixes 34 bugs in 4.9, including fixes for Customizer changesets, widgets, visual editor, and PHP 7.2 compatibility. For a full list of changes, consult the list of tickets and the changelog. Download WordPress 4.9.3 or visit Dashboard → Updates and click “Update Now.” Sites that support automatic […]

└ Tags:

The Month in WordPress: January 2018

Feb02
by Ike on February 2, 2018 at 8:10 am
Posted In: Backups, CMS, Month in WordPress, PHP, Releases, security, Wordpress

Things got off to a gradual start in 2018 with momentum starting to pick up over the course of the month. There were some notable developments in January, including a new point release and work being done on other important areas of the WordPress project. WordPress 4.9.2 Security and Maintenance Release On January 16, WordPress […]

└ Tags:

[20180104] – Core – SQLi vulnerability in Hathor postinstall message

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: SQLi
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6376

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Karim Ouerghemmi, ripstech.com

└ Tags:
 Comment 

[20180103] – Core – XSS vulnerability in Uri class

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 1.5.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6379

Description

Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Octavian Cinciu

└ Tags:
 Comment 

[20180102] – Core – XSS vulnerability in com_fields

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-20
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6377

Description

Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST

└ Tags:
 Comment 

[20180101] – Core – XSS vulnerability in module chromes

Jan30
by Ike on January 30, 2018 at 2:45 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-21
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6380

Description

Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

└ Tags:
 Comment 

The hidden “well-known” phishing sites

Jan29
by Ike on January 29, 2018 at 1:04 pm
Posted In: Most Popular, security

Thousands of phishing sites have been finding homes in special hidden directories on compromised web servers. In the past month alone, over 400 new phishing sites were found hosted within directories named /.well-known/; but rather than being created by fraudsters, these special directories are already present on millions of websites. The /.well-known/ directory acts as […]

└ Tags: ,
 Comment 

Brazilian government providing warm waters for shoals of phish

Jan18
by Ike on January 18, 2018 at 4:33 pm
Posted In: security

Security holes in Brazilian government websites are still rife, with no fewer than eight different gov.br sites being compromised within the past week to host phishing attacks and hacking scripts. The situation does not seem to have improved much since two years ago, when we noticed a similar spate of phishing sites and malware hosted […]

└ Tags:
 Comment 

WordPress 4.9.2 Security and Maintenance Release

Jan16
by Ike on January 16, 2018 at 11:00 pm
Posted In: 4.9, Backups, CMS, PHP, Releases, security, Wordpress

WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for […]

└ Tags: , ,

The Month in WordPress: December 2017

Jan03
by Ike on January 3, 2018 at 10:00 am
Posted In: Backups, CMS, Month in WordPress, PHP, Releases, security, Wordpress

Activity slowed down in December in the WordPress community, particularly in the last two weeks. However, the month started off with a big event and work pushed forward in a number of key areas of the project. Read on to find out more about what transpired in the WordPress community as 2017 came to a […]

└ Tags:

[20171103] – Core – Information Disclosure

Nov07
by Ike on November 7, 2017 at 3:00 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.7.0 through 3.8.1
  • Exploit type: Information Disclosure
  • Reported Date: 2017-May-17
  • Fixed Date: 2017-November-07
  • CVE Number: CVE-2017-16633

Description

A logic bug in com_fields exposed read-only information about a site’s custom fields to unauthorized users.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.1

Solution

Upgrade to version 3.8.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Internal JSST audit

└ Tags:
 Comment 

[20171102] – Core – 2-factor-authentication bypass

Nov07
by Ike on November 7, 2017 at 3:00 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Severity: Medium
  • Versions: 3.2.0 through 3.8.1
  • Exploit type: 
  • Reported Date: 2017-October-31
  • Fixed Date: 2017-November-07
  • CVE Number: CVE-2017-16634

Description

A bug allowed third parties to bypass a user’s 2-factor-authentication method.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.8.1

Solution

Upgrade to version 3.8.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Yarince

└ Tags:
 Comment 

[20171101] – Core – LDAP Information Disclosure

Nov07
by Ike on November 7, 2017 at 3:00 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Severity: Medium
  • Versions: 1.5.0 through 3.8.1
  • Exploit type: Information Disclosure
  • Reported Date: 2017-October-06
  • Fixed Date: 2017-November-07
  • CVE Number: CVE-2017-14596

Description

Inadequate escaping in the LDAP authentication plugin can result in disclosure of username and password.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.1

Solution

Upgrade to version 3.8.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH

└ Tags:
 Comment 

[20170901] – Core – Information Disclosure

Sep19
by Ike on September 19, 2017 at 2:00 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.7.0 through 3.7.5
  • Exploit type: Information Disclosure
  • Reported Date: 2017-August-4
  • Fixed Date: 2017-September-19
  • CVE Number: CVE-2017-14595

Description

A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.7.5

Solution

Upgrade to version 3.8.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Michal Prochaczek

└ Tags:
 Comment 

[20170902] – Core – LDAP Information Disclosure

Sep19
by Ike on September 19, 2017 at 2:00 pm
Posted In: CMS, Joomla, security, Security Centre
  • Project: Joomla!
  • SubProject: CMS
  • Severity: Medium
  • Versions: 1.5.0 through 3.7.5
  • Exploit type: Information Disclosure
  • Reported Date: 2017-July-27
  • Fixed Date: 2017-September-19
  • CVE Number: CVE-2017-14596

Description

Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.7.5

Solution

Upgrade to version 3.8.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH

└ Tags:
 Comment 

cPanel TSR-2014-0007 Full Disclosure

Oct20
by Ike on October 20, 2014 at 4:17 am
Posted In: Community, cPanel, Hosting, News, ProdDevSec, security, TSR

Case 109049 Summary Arbitrary file overwrite in /scripts/synccpaddonswithsqlhost. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The synccpaddonswithsqlhost script performed unsafe file operations inside the home directories of unprivileged users while running with root’s permissions. By manipulating symbolic links within the .cpaddons sub-directory, a …

└ Tags: , , , , , , ,
 Comment 

Google’s POODLE affects oodles

Oct15
by Ike on October 15, 2014 at 10:45 am
Posted In: Around the Net, security

97% of SSL web servers are likely to be vulnerable to POODLE, a vulnerability that can be exploited in version 3 of the SSL protocol. POODLE, in common with BEAST, allows a man-in-the-middle attacker to extract secrets from SSL sessions by forcing the victim’s browser into making many thousands of similar requests. As a result […]

└ Tags: , , , , ,
 Comment 

53 queries. 9.75 mb Memory usage. 0.345 seconds.