Likes Likes:  0
Resultaten 1 tot 4 van de 4
Geen
  1. #1
    cPanel Issues Statement on Root Exploit
    administrator
    21.456 Berichten
    Ingeschreven
    17/12/01

    Locatie
    Amsterdam

    Post Thanks / Like
    Mentioned
    70 Post(s)
    Tagged
    0 Thread(s)
    590 Berichten zijn liked


    Naam: Domenico Consoli
    Bedrijf: Webhostingtalk.nl
    Functie: Oprichter
    URL: webhostingtalk.nl
    Registrar SIDN: Ja
    KvK nummer: 51327317
    TrustCloud: domenico
    View domenicoconsoli's profile on LinkedIn

    Thread Starter

    cPanel Issues Statement on Root Exploit

    source: cPanel forums, Pingzine

    Restoring account backup packages from unknown, or untrusted, sources


    We’ve been getting some interesting and valuable feedback from the cPanel Community recently concerning the security model used by the transfer and backup restore system. We’d like to address these concerns here and provide the Community with some clarity on this topic, directly from cPanel.

    First, we want to highlight again, the risk of restoring account backup packages from untrusted or unknown sources. We need to ensure that everyone has the opportunity to be conscious of the security concerns associated with this process.

    The account backup package system (pkgacct) is designed to transfer an account between machines inside your ecosystem. This system's primary goal is to prefer replication integrity in order to simplify the process of migrating your accounts between your servers.

    • In order to achieve this goal it must copy the entire account, along with its configuration, privileges, customizations, files, and permissions that the account has been granted.
    • The system is not designed to handle untrusted data. There are a myriad of ways a malicious user can alter an account backup package to escalate privileges, or add additional privileges to an account backup package.
    • We strongly recommend that you do not restore data from untrusted sources. It is for this reason that the restore system has always been limited to the root user.


    It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned. In addition, our warnings against doing so have been inadequate to discourage the restoration of untrusted account backup packages.

    We understand the value that this workflow offers, and we want to offer a way to accomplish restoring account backup packages from untrusted sources in a more secure manner. The security and integrity of your system is very important to us.

    Your feedback, along with the consideration of the desired workflow, has prompted us to reevaluate our current system and develop a new goal of delivering a more robust solution.

    1. We will soon release an update that adds the warnings present in the CLI restorepkg script to the WHM UI. The warnings will be expanded to explain why account backup packages from untrusted sources should not be restored using the current system.
    2. We have launched a high priority project to develop an alternate system for handling the restoration of untrusted account backup packages. This new system will restore a limited, safer subset of the data. The primary goal of the new restore tool will be to prefer the security of the restore over replication integrity. We will endeavor to provide as much of the current restore functionality with the new untrusted account backup package restore tool as possible. During the new transfer and restore process, you will be able to clearly select which system you want to use (trusted or untrusted) to restore an account backup package.
    3. The CLI restorepkg tool will be renamed to restore_trusted_pkg. Once development of the untrusted account backup package restore system is complete, a restore_untrusted_pkg CLI tool will be added.


    For the avoidance of doubt, untrusted sources means anyone you would not already trust with root access to the server.


    Kenneth
    Development
    cPanel, Inc.

  2. #2
    cPanel Issues Statement on Root Exploit
    [--]
    854 Berichten
    Ingeschreven
    28/05/06

    Locatie
    Eindhoven

    Post Thanks / Like
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    67 Berichten zijn liked


    Naam: R
    Registrar SIDN: ja
    KvK nummer: 20125757

    It has recently been brought to our attention that the restoration of account backup packages from an untrusted or unknown source may be a more common practice then we envisioned.
    Als in: je hebt je backups 'elders' staan en die blijken compromised? en die probeer je dan weer te restoren in je eigen netwerk?
    Het lijkt me toch helder dat je je (offsite) backups ook goed beveiligd en dat cpanel zelf dus geen exploit bevat?
    onderschrift!

  3. #3
    cPanel Issues Statement on Root Exploit
    Professional
    3.115 Berichten
    Ingeschreven
    05/02/05

    Locatie
    Alkmaar

    Post Thanks / Like
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    101 Berichten zijn liked


    Naam: Thomas
    Registrar SIDN: JA
    ISPConnect: Lid
    KvK nummer: 76706966

    Nee, als in: je gaat een klant verhuizen naar je eigen servers en de backup wordt aangeleverd door de klant. De klant die je dus ook geen root toegang geeft tot je server. Gaat dus met name om de shared omgevingen en niet een verhuizing tussen dedicated servers of cloud servers aangezien je op dat moment toch al root toegang geeft.

    Maar daar is cPanel of shared hosting niet uniek in. Hetzelfde probleem kun je ook tegen komen bij virtuele/cloud omgevingen.



  4. #4
    cPanel Issues Statement on Root Exploit
    Web hosting diensten
    4.705 Berichten
    Ingeschreven
    09/02/04

    Locatie
    Rotterdam

    Post Thanks / Like
    Mentioned
    10 Post(s)
    Tagged
    0 Thread(s)
    110 Berichten zijn liked


    Bedrijf: DreamHost.nl Web hosting
    Functie: Managing Director
    URL: www.dreamhost.nl
    Registrar SIDN: JA
    KvK nummer: 24269577

    Klopt, dat is ook wat ik uit het verhaal opmaak, getUP.
    DreamHost.nl Web hosting - cPanel hosting om bij weg te dromen.

Webhostingtalk.nl

Contact

  • Rokin 113-115
  • 1012 KP, Amsterdam
  • Nederland
  • Contact
© Copyright 2001-2021 Webhostingtalk.nl.
Web Statistics