Administrator

You may have noticed an addition to the Update Company Information page, located under the Company tab in Manage2. It now includes a Purchase WHMCS Url or email address field. This field allows you to determine the visibility and functionality of WHMCS promotion to your customers. You can take one … View the full article

cPanel & WHM software version 11.40 will reach End of Life at the end of October 2014. In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.40 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.40 once it … View the full article

We are releasing a patch for IP.Content 2.3.6 to address a potential security vulnerability in the search system. It has been brought to our attention that there is a potential vulnerability within the IP.Content search system and even though the vulnerability was only a proof of concept, we felt it best to issue an update. To apply the patch Simply download the attached zip and upload the files to your forum server. You do not need to run any scripts or the upgrade system. Credit Our thanks to security researcher Jamieson O'Reilly (au.linkedin.com/pub/jamieson-o-reilly/70/b64/13a/, dringen.blogspot.com.au) for his assistance with this issue. ip_content_patch_july_2014.zip 7.1KB 240 downloads View the full article

SUMMARY cPanel, Inc. has released EasyApache 3.26.3 with PHP version 5.5.15, Libxslt version 1.1.28 and Libxml2 version 2.9.1. This release addresses PHP vulnerability CVE-2014-4670 by fixing a bug in the SPL component, CVE-2012-6139 by fixing a bug in Libxslt, and fixes bugs in Libxml2 to address the following CVEs: CVE-2012-5134, … View the full article

Case 93317 Summary Limited SQL injection vulnerability in LeechProtect. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The LeechProtect subsystem built into cPanel & WHM systems allows a website owner to disable HTTP logins for accounts that log in from too many distinct IP … View the full article

SUMMARY cPanel, Inc. has released EasyApache 3.26.2 with Apache version 2.4.10. This release addresses Apache vulnerabilities CVE-2014-0117, CVE-2014-0226, CVE-2014-0118, and CVE-2014-0231 by fixing bugs in the mod_proxy, mod_deflate, and mod_cgid modules. We encourage all Apache 2.4 users to upgrade to Apache version 2.4.10. AFFECTED VERSIONS All versions of Apache 2.4 … View the full article

cPanel TSR-2014-0005 Announcement cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact … View the full article

http://network-nick.blogspot.com/2011/11/sbs-2008-c-drive-runs-out-of-space.html

http://support.microsoft.com/kb/2000544#x_x_x_x_fixitforme MicrosoftFixit50682.zip

If you see the following errors or a white page when trying to charge a card that is returned as "Declined" from strip, this is due to the encoding of the strip lib files in nexus and a conflict with x-cache. PHP Fatal error: Cannot access parent:: when current class scope has no parent To resolve this issue, replace the encoded strip lib files with the non encoded versions. Contact IPS Tech support for these files and link to this topic if needed. Location of files /admin/applications_addon/ips/nexus/sources/gateways/libs/ Source files are available here as well https://github.com/stripe/stripe-php

We are happy to announce the release of EasyApache 3.26 for cPanel & WHM. EasyApache 3.26 features a redesigned profile page that is easier to use and more informative. EasyApache’s redesigned profile page includes cPanel & WHM’s new Optimal Profiles. The new Optimal Profiles include the recommended versions of PHP … View the full article

http://www.reactive.io/tips/2008/02/18/working-with-pgp-and-mac-os-x/

SUMMARY cPanel, Inc. has released EasyApache 3.24.22 with PHP 5.4.30 and 5.5.14. This release addresses multiple PHP vulnerabilities in the PHP core code and the Fileinfo, Network, and SPL modules. We encourage all PHP users to upgrade to PHP 5.4.30 and PHP 5.5.14. AFFECTED VERSIONS All versions of PHP 5.4 before 5.4.30. All versions of PHP 5.5 before 5.5.14. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2014-3981 – LOW PHP 5.4.30 and PHP 5.5.14 Fixed bug in the PHP core code related to CVE-2014-3981. CVE-2014-0207 – MEDIUM PHP 5.4.30 and PHP 5.5.14 Fixed bug in the Fileinfo module related to CVE-2014-0207. CVE-2014-3478 – MEDIUM PHP 5.4.30 and PHP 5.5.14 Fixed bug in the Fileinfo module related to CVE-2014-3478. CVE-2014-3479 – MEDIUM PHP 5.4.30 and PHP 5.5.14 Fixed bug in the Fileinfo module related to CVE-2014-3479. CVE-2014-3480 – MEDIUM PHP 5.4.30 and PHP 5.5.14 Fixed bug in the Fileinfo module related to CVE-2014-3480. CVE-2014-3487 – MEDIUM PHP 5.4.30 and PHP 5.5.14 Fixed bug in the Fileinfo module related to CVE-2014-3487. CVE-2014-4049 – MEDIUM PHP 5.4.30 and PHP 5.5.14 Fixed bug in the Network module related to CVE-2014-4049. CVE-2014-3515 – MEDIUM PHP 5.4.30 and PHP 5.5.14 Fixed bug in the SPL module related to CVE-2014-3515. SOLUTION cPanel, Inc. has released EasyApache 3.24.22 with an updated version of PHP 5.4 and PHP 5.5 to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP. REFERENCES http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3981 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0207 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3478 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3479 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3480 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3487 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4049 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3515 http://www.php.net/ChangeLog-5.php#5.4.30 http://www.php.net/ChangeLog-5.php#5.5.14 For the PGP-signed message, see PHP 5-4-30 and 5-5-14 CVE signed. View the full article

You may have noticed an addition to the Update Company Information page, located under the Company tab in Manage2. It now includes a Purchase CloudLinux Url or email address field. This field allows you to determine the visibility and functionality of EasyApache’s Upgrade to CloudLinux button. You can take one of the following actions: Do nothing – By default, the Upgrade to CloudLinux button will be visible in EasyApache. It will open the cPanel Store in another tab. Enter URL for an alternative storefront – The Upgrade to CloudLinux button will be visible in EasyApache. It will open the specified URL in another tab. Enter an email address – The Upgrade to CloudLinux button will be visible in EasyApache. It will compose an email to the specified address in another window. Disable – The Upgrade to CloudLinux button will not be visible in EasyApache. CloudLinux Options in Manage2 The rollout of the Upgrade to CloudLinux button is planned for MID-JULY 2014. We strongly encourage you to update the Purchase CloudLinux Url or email address field in your Manage2 account AS SOON AS POSSIBLE. To learn how you can benefit from cPanel’s integration with CloudLinux, check out What is CloudLinux? on the cPanel Blog. You can also contact your cPanel Account Manager, listed in Manage2 (requires username and password), for more information. View the full article

6/17/2014 Houston, TX - cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which is now available in the RELEASE tier. cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more. Transfer & Restore Renovation From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits. Configuration Clusters cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency. Paper Lantern With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes. Support Access Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks. Detailed information on all cPanel & WHM 11.44 features can be found at https://documentation.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists. View the full article

IPS Community Suite 4.0, the most significant update to IP.Board and the rest of our apps we've ever made, is fast approaching a state where we'll be ready for a public preview and, soon after that, public beta testing! We know most of you are just as excited as we are about this and can't wait to try it out. With 4.0, we've made some significant leaps in terms of modernization, and it's possible that you might need to do some preparation before you're ready to install it. Notably, our minimum PHP and MySQL versions have gone up. It's the first time we've needed you to do this in 6 years, and the versions we need you to have have been around for a long time, we're not requiring the latest versions. In addition, 4.0 is UTF-8 only (if you don't know what that is, it's a way text can be stored in your database which you may or may not be using at the moment) and while the 4.0 upgrade process will convert your database for you if you're not already using it, this is a moderately time-consuming process, so if you convert your database now, it's one less thing to worry about on upgrade day. To make this process as easy as possible, we have created a little script which you can upload to your server to test if you're ready. Download Now View the full article View the full article

http://www.microsoft.com/en-us/download/details.aspx?id=6231

I want to briefly show our new cover photo support. Cover photos allow users to upload an image to represent something in the community; we currently support them in profiles and calendar events and may roll out support to other areas later. Here's a video of it in action for a calendar event. It's really simple to use, and of course still works responsively like the rest of our default theme. We hope it adds a new element of customization for content in your community. Developers For developers, supporting cover photos in your own addons is as easy as you'd expect. A helper is available which handles the nitty-gritty for you; you simply add $item->coverPhoto() to your template, override a couple of methods in your controller, and optionally build your own menu to control the user interaction (or you can let the helper output them for you, as in the video above). That's it! As always, screenshots are from pre-release software and are subject to change before release. Attached Thumbnails View the full article View the full article

<p><em>6/3/2014</em><br /><em> Houston, TX -</em></p> <p>cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which is now available in the CURRENT tier.</p> <p>cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more.</p> <p><strong>Transfer & Restore Renovation</strong><br />From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits.</p> <p><strong>Configuration Clusters</strong><br />cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency.</p> <p><strong>Paper Lantern</strong><br />With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes.</p> <p><strong>Support Access</strong><br />Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks.</p> <p>Detailed information on all cPanel & WHM 11.44 features can be found at <a title="https://documentation.cpanel.net" href="https://documentation.cpanel.net" target="_blank">https://documentation.cpanel.net</a>. An overview of the latest features and benefits is also available at <a title="http://releases.cpanel.net" href="http://releases.cpanel.net" target="_blank">http://releases.cpanel.net</a>.</p> <p>To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: <a title="http://cpanel.net/mailing-lists" href="http://cpanel.net/mailing-lists" target="_blank">http://cpanel.net/mailing-lists</a>.</p> View the full article

SUMMARY cPanel, Inc. has released EasyApache 3.24.19 with PHP versions 5.5.13 and 5.4.29. This release addresses the PHP vulnerabilities CVE-2014-0237 and CVE-2014-0238 with fixes to bugs in the fileinfo extension. We encourage all PHP users to upgrade to PHP version 5.5.13 or PHP version 5.4.29. AFFECTED VERSIONS All versions of PHP version 5.5 before 5.5.13. All versions of PHP version 5.4 before 5.4.29. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2014-0237 – MEDIUM PHP 5.5.13 Fixed bug in the fileinfo extension related to CVE-2014-0237. PHP 5.4.29 Fixed bug in the fileinfo extension related to CVE-2014-0237. CVE-2014-0238 – MEDIUM PHP 5.5.13 Fixed bug in the fileinfo extension related to CVE-2014-0238. PHP 5.4.29 Fixed bug in the fileinfo extension related to CVE-2014-0238. SOLUTION cPanel, Inc. has released EasyApache 3.24.19 with the updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP. REFERENCES http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0237 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0238 http://www.php.net/ChangeLog-5.php#5.4.29 http://www.php.net/ChangeLog-5.php#5.5.13 For the PGP-signed message, see EACVE3-24-19-Signed. View the full article

TSR-2014-0004 Full Disclosure Case 78301 Summary Correct patch for CVE-2002-1575 in cgiemail. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description cPanel & WHM includes a copy of Bruce Lewis’ cgiemail version 1.6. This version of cgiemail was vulnerable to CVE-2002-1575, allowing remote unauthenticated attackers to send email using the cgiemail script to destination addresses of the attackers’ choosing. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 92733 Summary Session file name disclosure via SafeFile command line rewriting. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The SafeFile functionality of cPanel provides for safe file locking and opening. When attempting to obtain a lock on a file, the executable name ($0) was set to include the target file name for debugging purposes. This exposed potentially sensitive session information. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 92745 Summary Private SSH key passwords disclosed during key generation and import. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The cPanel & WHM API1 and API2 calls that imported, generated, and converted SSH keys using the ssh-keygen binary supplied the password for the private key using command line arguments. This revealed the private password to other accounts on the system while ssh-keygen was executing. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 93017 Summary Arbitrary Code Execution via WHM Thirdparty Service Calls. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The WHM /scripts2/showservice and /scripts2/saveservice URLs took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, a malicious authenticated reseller could execute arbitrary code as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 93021 Summary Arbitrary code execution via Cpanel::Thirdparty::serviceinfo API call. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The Cpanel::Thirdparty::serviceinfo API1 call took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, an authenticated cPanel user could execute arbitrary code, potentially bypassing other restrictions placed on the account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 93269 Summary Transfer CGI scripts allow downloads of a cPanel account. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM ‘Copy an Account From Another Server With an Account Password’ functionality will first attempt to use XML-API calls to generate and download a backup of the remote account. Should this call fail, a fallback method using FTP and HTTP will be attempted. Under some circumstances, the CGI scripts utilized by this fallback method would remain installed on the account after the transfer was complete, potentially allowing remote attackers to download a copy of the transferred account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.1.16 11.40.1.14 Case 94077 Summary Denial of service via Boxtrapper cgi-sys script. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The Boxtrapper bxd.cgi script used to confirm an email for delivery did not properly validate the account parameter passed to it by the user. By injecting null values into this parameter, an unauthenticated attacker could trigger an infinite loop in the script, potentially exhausting server resources. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 95617 Summary Arbitrary database access via cpmysqladmin ADDDBPRIVS command. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The cpmysqladmin ‘ADDDBPRIVS’ command allowed cPanel users to add read and write privileges to a database. Ownership of the specified database was not properly validated during this process, allowing the user to read and write any database on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.1.16 11.40.1.14 Case 96301 Summary Arbitrary permissions change via fixsuexeccgiscripts script. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The fixsuexeccgiscripts script run during the nightly UPCP process on cPanel & WHM systems scanned Apache’s suexec_log for indications of misconfigured CGI scripts. Scripts that generated errors were automatically set to 0755 permissions. The functionality that changed permissions on defective scripts performed insufficient validation of the targets, allowing a local attacker to set any file on the system to 0755 permissions. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 96381 Summary Arbitrary file ownership change via chownpublichtmls script. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The chownpublichtmls script is intended to correct the ownership on users’ public_html directories. This script used an obsolete version of the safe_recchmod() function that was vulnerable to a race condition attack. This could allow a local attacker change the ownership of arbitrary files. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 96541 Summary Arbitrary code execution as root via WHM “Check and Repair a Perl Script”. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The Check and Repair Perl Script functionality of WHM was vulnerable to a Time-of-check/Time-of-use attack. The UID this functionality would execute under was determined by a simple stat of the target file, followed by the execution of the script using “perl -c”. A local attacker could leverage this flaw to execute arbitrary code as root when this interface was used on a script under the attacker’s control. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 96697 Summary Arbitrary permissions change via multiple scripts. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Obsolete versions of several functions provided by the Cpanel::SafetyBits module were duplicated inside the safetybits.pl script and used in several command line scripts provided with cPanel & WHM. The obsolete versions of these functions allowed a local attacker to change the permissions on arbitrary files under some circumstances. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97289 Summary Bypass of local zone ownership restrictions via DNS clustering commands. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The DNS clustering commands allow for DNS zones to be synced across a cluster. When a zone is owned by a local user, these commands restrict modification of the zone to the reseller account that owns the zone and reseller accounts with the “All” ACL. This functionality was subject to several flaws that allowed an authenticated attacker with the “Clustering” ACL to modify zones belonging to other resellers on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97293 Summary Miscategorization of DNS Clustering ACL. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The “Clustering” ACL in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the “Standard Privileges” grouping. This ACL should be listed under the “Super Privileges” grouping since the ACL is intended for sensitive DNS clustering configuration and synchronization operations that bypass many restrictions on DNS zone modifications. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97737 Summary Arbitrary YAML file read via Configure Customer Contact. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM Configure Customer Contact interface allows a reseller to set contact information visible by their users. The YAML file containing this information is inside the reseller’s home directory and was read with the effective UID of root. By manipulating this file, an authenticated reseller could read the contents of arbitrary YAML files on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97841 Summary Mailman list password disclosed to local users during password change. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Mailman’s change_pw script takes the password as a command line argument. When changing a mailing list’s password, the new password was leaked to other users logged into the system via command line arguments. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 98121 Summary Miscategorization of Locales ACL. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The “local-edit” ACL listed in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the “Global Privileges” grouping. This ACL should be listed under the “Super Privileges” grouping since the ACL allows the reseller to control the display of translations, including embedded HTML, in all cPanel & WHM interfaces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Multiple Cases (35) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 90761 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/ftp/accounts.html, /frontend/paper_lantern/ftp/accounts.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Mateusz Goik Case: 93117 Security Rating: Moderate XSS Type: Reflected Interface: cPanel URLs: /cgi-sys/guestbook.cgi Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93141 Security Rating: Moderate XSS Type: Reflected Interface: Entropy Chat URLs: / Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93641 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/paper_lantern/mail/auto_responder.tt, /frontend/x3/mail/auto_responder.tt Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93965 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/filemanager/index.html, /frontend/paper_lantern/filemanager/index.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93985 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/addoncgi/cpaddons.html, /frontend/paper_lantern/addoncgi/cpaddons.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94081 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts4/listaccts Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 94741 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/spam/addspamfilter.html, /frontend/paper_lantern/mail/spam/addspamfilter.html Affected Releases: 11.43.0, 11.42.1 Reporter: cPanel Security Team Case: 94745 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/filters/delfilter.html, /frontend/x3/mail/filters/delfilter.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94773 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/addon/index.html, /frontend/x3/denyip/index.html, /frontend/x3/ftp/accounts.html, /frontend/x3/mail/archive.html, /frontend/x3/mail/autores.html, /frontend/x3/mail/boxtrapper.html, /frontend/x3/mail/filters/managefilters.html, /frontend/x3/mail/fwds.html, /frontend/x3/mail/lists.html, /frontend/x3/park/index.html, /frontend/x3/psql/index.html, /frontend/x3/sql/index.html, /frontend/x3/subdomain/index.html, /frontend/paper_lantern/addon/index.html, /frontend/paper_lantern/denyip/index.html, /frontend/paper_lantern/ftp/accounts.html, /frontend/paper_lantern/mail/archive.html, /frontend/paper_lantern/mail/autores.html, /frontend/paper_lantern/mail/boxtrapper.html, /frontend/paper_lantern/mail/filters/managefilters.html, /frontend/paper_lantern/mail/fwds.html, /frontend/paper_lantern/mail/lists.html, /frontend/paper_lantern/park/index.html, /frontend/paper_lantern/psql/index.html, /frontend/paper_lantern/sql/index.html, /frontend/paper_lantern/subdomain/index.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94793 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/conf.html, /frontend/paper_lantern/mail/conf.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94825 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/dodelpop.html, /frontend/paper_lantern/mail/dodelpop.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94929 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mime/addredirect.html Affected Releases: 11.43.0, 11.42.1 Reporter: cPanel Security Team Case: 94937 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/sql/wizard4.html, /frontend/x3/sql/wizard4.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 95577 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/denyip/delconfirm.html, /frontend/paper_lantern/denyip/delconfirm.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 95805 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/ftp/dologoutftpconfirm.html, /frontend/x3/ftp/dologoutftpconfirm.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96017 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mime/delredirect.html, /frontend/x3/mime/delredirect.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96021 Security Rating: Moderate XSS Type: Stored Interface: cPanel URLs: /frontend/x3/clamavconnector/scanner.html, /frontend/x3/clamavconnector/live_disinfect.html, /frontend/x3/clamavconnector/disinfect.html, /frontend/paper_lantern/clamavconnector/scanner.html, /frontend/paper_lantern/clamavconnector/live_disinfect.html, /frontend/paper_lantern/clamavconnector/disinfect.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96201 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/doresetresellers Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96209 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/domultikill Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96245 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /cgi/statmanager.cgi Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96385 Security Rating: Important XSS Type: Stored Interface: cPanel URLs: /frontend/x3/ftp/session.html, /frontend/paper_lantern/ftp/session.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96485 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts5/showacctcopylog Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96505 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts/rescart Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96509 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts/repairmysql Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96521 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/doresmailman Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96525 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts2/convertmaildir Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96545 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts2/doeditzonetemplate Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96637 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /cgi/trustclustermaster.cgi Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96801 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts/doconfiguremailserver Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99213 Security Rating: Minor XSS Type: Stored Interface: WHM URLs: /scripts5/setupremotemysqlhost Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99309 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts2/editzonetemplate Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99365 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts5/copy_account_input Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99377 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts5/remotemysqlhost Affected Releases: 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99957 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/cgi/modify.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-FullDisclosure.txt View the full article

https://www.thirdtier.net/2010/01/recovering-hidden-disk-space-used-on-sbs-2008-c-partitions/

<p><strong>TSR-2014-0004</strong></p> <p>cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.</p> <p>cPanel has rated these updates as having security impact levels ranging from Minor to Important.</p> <p>Information on cPanel’s security ratings is available at <a href="http://go.cpanel.net/securitylevels" title="http://go.cpanel.net/securitylevels" target="_blank">http://go.cpanel.net/securitylevels</a>.</p> <p>If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.</p> <p><strong>RELEASES</strong></p> <p>The following cPanel & WHM versions address all known vulnerabilities:</p> <p>* 11.43.0.12 & Greater<br />* 11.42.1.16 & Greater<br />* 11.40.1.14 & Greater</p> <p>The latest public releases of cPanel & WHM for all update tiers are available at <a href="http://httpupdate.cpanel.net" title="http://httpupdate.cpanel.net" target="_blank">http://httpupdate.cpanel.net</a>.</p> <p><strong>SECURITY ISSUE INFORMATION</strong></p> <p>The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.</p> <p>Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 52 vulnerabilities in cPanel & WHM software versions 11.44, 11.42, and 11.40.</p> <p>Additional information is scheduled for release on May 26th, 2014.</p> <p>For information on cPanel & WHM Versions and the Release Process, read our documentation at: <a href="http://go.cpanel.net/versionformat" title="http://go.cpanel.net/versionformat" target="_blank">http://go.cpanel.net/versionformat</a></p> <p>For the PGP-signed message, see <a href="http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-Accouncement.txt" title="http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-Accouncement.txt" target="_blank">http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-Accouncement.txt</a></p> View the full article

We've previously shown how responsiveness works in the AdminCP, but I'd like to briefly introduce responsiveness on the front end, and pick a few views to show you as examples (this will be a screenshot-heavy entry!) What is responsiveness? Before we get to that, allow me to recap what responsiveness is. Responsive design is a method by which you design one page in such a way that it adapts for the available screen space on the device the user is using. This means that one theme handles both the full desktop view and the condensed mobile view with some clever CSS, in contrast to 3.x where we had a separate mobile skin. When we took the decision to use responsive design for IPS4, one key aim was to ensure that the mobile view isn't feature reduced. We want all functionality and all areas of the suite to be available regardless of device, and with only a couple of exceptions we're on track to deliver this. Primary navigation In mobile view, the primary navigation collapses and moves to a menu accessible with the icon in the top-right. The breadcrumb becomes a 'Back' control, taking you up a level from the current page: The primary navigation, when opened, looks like this: Moderation Given that the responsive theme supports all functionality, this naturally includes moderation. IPS4 support full moderation capabilities regardless of the device you're using. Here's an example of moderating images in Gallery. Notice the menu to quickly select types of content to moderate, as well as the floating toolbar at the bottom of the screen to choose actions. Settings page Taking the settings area as an example, here's the same screen at the three supported breakpoints - desktop, tablet and mobile. Profile view Here's profile view (which we covered in more detail here) as seen on a phone: Calendar Calendar views on mobile: Gallery Viewing albums & images in a category: Blog The blog homepage: And viewing a blog: Forums Submitting a topic on mobile: Conclusion So that wraps up this round-up of responsive views. Naturally, there's many more views than this in the suite and we can't show screenshots of every single one, but hopefully this entry has given you a taste of a variety of views, and a better idea of how we're approaching mobile users in IPS4. As always, screenshots are from pre-release software and are subject to change before release. Attached Thumbnails View the full article View the full article

Profiles are one of the key sections of a community, as everyone knows. They are what represent your users; where their information is shown and their content is gathered. When users contribute quality content to your community, their profile is where other users go to find it in one place. In short, it's an important area. In IPS4, profiles have had a complete makeover. There's a lot to cover, so I'll start with a numbered screenshot, and address each section individually (please note this is a large image; if you're on mobile, you may wish to wait to view it full-size). 1 - Header images In 3.x, users could customize their profiles by uploading a background image. In practice, this didn't work well when the software was integrated into an existing website design, and the options presented often ended up with a garish profile. In addition, social networks like Facebook and Twitter have adjusted user expectations on how profiles are customized. In IPS4, instead of page backgrounds, users instead get to customize their profile header image. This provides the best of both worlds - ample space to choose something creative, but it's contained and won't mess up a website design. 2 - Reputation The user's current reputation count is shown prominently in the info column, letting other users know if this member is an asset to the community. 3 - Warnings For moderators/staff, the profile now provides quick access to warning tools. By expanding the panel, they can see a brief history of recent warnings: And clicking one of these pops up the warning details: New warnings can also be issued inline, of course. 4 - Followers Followers replace friends in IPS4, and the user's followers are shown in this block. Instead of requiring mutual acknowledgement as with the traditional friends system (an approach that isn't entirely useful in a community of anonymous users), in IPS4 you follow users whom you find interesting in order to be updated when they contribute to the community. Users can of course prevent others from following them, if that is a concern to them. We'll have more details on how followers works in a later entry. 5 - About the user Traditional information about the user is shown in the next block, including custom profile fields. 6 - Recent visitors Recent visitors to this user's profile are shown next. As with 3.x, this can be toggled on and off by the profile owner. In 4.x, this is done by clicking the X in the corner of the block. 7 - Follow/Message member These primary buttons enable others to follow the user (if enabled), and send a new message inline, without leaving the page. 8 - User's content In 3.x, browsing a user's content was handled by the search area of the community (though links were available in the user's profile and hovercard). We felt this wasn't the best place for it, though. After all, a user's content should be available in their profile. That's what this button does. It switches the profile view to 'content browsing' mode, where you can see everything the user has done. It's smooth and buttery, and because it all loads dynamically, it feels like a true part of the profile. Here's a video of it in action (14MB) 9 - Long-form custom profile fields IPS4 supports various kinds of custom profile fields, including rich-text editors for long, styled content. Those custom profile fields will be shown in the main section of the profile where they get the space they need to be effective. About Me is a default field, but you can of course add your own too for your users to fill in. 10 - User's 'Nodes' A node is a fancy developer term for content containers that a user creates themselves, like gallery albums and blogs (as opposed to forum categories, which are created by the admin). In IPS4, a user's 'nodes' are shown right on their profile page, making it easy to find more interesting content from the user. In this screenshot, you can see my profile is showing my albums, my blogs, and other blogs to which I contribute. For developers, supporting your application in this section is easy too. 11 - Status feed The status feed from 3.x is of course still present, and the interaction is all inline without leaving the page. Conclusion That's profiles in 4.0. We hope the new focus on content and streamlined design provides a better experience for your users! As always, screenshots are from pre-release software and are subject to change before release. Attached Thumbnails View the full article View the full article