[CPANEL-25968] mod_status data suppression improvement
Hello,
it is quite interesting how nobody including the article's author(s) has posted anything in regards to hosting.review's "super-duper" discovery of arbitrary access to whm-server-status and server-status by sending curl/lynx GET requests to 127.0.0.1 from end client web pages. Is this something you guys are going to address?
Thanks.
-
Hello, The reported behavior is a longstanding issue with Apache's mod_status module. We've not seen anything to indicate Apache is planning to address the issue in the near future, so our developers are researching and exploring the best way to implement a patch for cPanel & WHM servers that doesn't adversely affect existing functionality. The internal case number is CPANEL-25968. I'll monitor this case and update this thread with more information as it becomes available. Let us know if you have any questions. Thank you. 0 -
A temporary fix until the official one comes out In WHM Home >> Service Configuration >>Apache Configuration >> Include Editor >> Post VirtualHost Include Replace 192.168.1.1 10.10.10.10 with your own static IPs so only you can see server status The line Deny from 127.0.0.1 ::1 maybe is not necessary, but had no time to test Put in editor # This is used by the WHM 'Apache Status' application SetHandler server-status Order deny,allow Deny from all Deny from 127.0.0.1 ::1 Allow from 192.168.1.1 10.10.10.10 SecRuleEngine Off Now you can see server status from 0 -
Hello, Yeah, exactly - the "exploit" in the article is not some mind boggling novelty in the way the authors are trying to present it. Either way, you have to take into consideration the fact that ea4 recompilation will result in getting back the old values. Our own temporary "patch" includes tweaking /var/cpanel/templates/apache2_4/ea4_main.default to have the changes persevere after easyapache recompilation. Thanks. 0
Please sign in to leave a comment.
Comments
3 comments