Jump to content
View in the app

A better way to browse. Learn more.
AlphaGNU

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security vulnerability

Netino
in CWP - Control WEB Panel

Featured Replies

Posted

How can I alert the development team to a very, very serious security flaw, where it is possible to execute arbitrary commands with root user permission?!

I tried to contact support, and they simply disregarded my message saying that I don't have a support "contract".
My server was compromised, and I have the URL to replay the attack.

Regards,

Netino

  • Author

Correction:

I had all of my 5 servers, geographycally in different locations(wow!), compromised, with a proof of concept.

Nothing anymore.

A php file was saved with root permissions. But if one file was saved, any file would be saved with root permissions.

And executed...!!!

(This is a large scale attack?!)

But my servers wasn't really attacked, because I discovered the problem on the day after.

I'm a experienced admin(first server in 1996), and could stop the attack, before the attacker come back.

But I afraid many people don't know this until now.

I have one solution: turn you cwpsrv server protected, or by IP restriction, or with nginx(cwpsrv) password ().

The reason cannot be revealed, up to CWP Team acknowledge the problem.

Create a file /usr/local/cwpsrv/conf/include/security.conf with the following content: 

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/ht_passwd;

Choose yours IP adresses, and/or define additional authentication on cwpsrv. (Will be authenticated 2 times)

Create a file /usr/local/cwpsrv/conf/htpasswd with your passwords: 

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

...and restart cwp on the panel, or with the command: 

# /scripts/restart_cwpsrv

 

Edited by Netino

  • Author

Yes, completely updated.

The file was saved within the cwpsrv area, with root user/group ownership.

I spent ten days trying configurations with OWASP/Comodo modsecurity, and then I decided to directly test a URL used in the attack, and unbelievably, it works to execute a "ls -alF" command on the server.
The only solution I found was to restrict access to the CWP admin panel by IP or authentication.

  • Author

Ok, thanks.

I posted the problem there, but could not show the results of my screen to them, because the system seems to block the message.

But I could posted the URL attack.

Thanks!

Edited by Netino

Create an account or sign in to comment

Go to topic listing

Topics

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.