Jump to content

Administrator

Administrator
 View Profile  See their activity

  • Posts

    103,842

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Everything posted by Administrator

  1. Administrator
    A few years ago we revolutionised theme editing in IP.Board with the addition of the "Visual Skin Editor". This tool quickly became a popular way of making broad color changes to new themes to match in with an existing site or existing branding. For the first time, you could instantly view the changes you were making. Goodbye Visual Skin Editor, hello Easy Mode Editor. We have rewritten this tool from the ground up in IPS Suite 4.0 and renamed it the Easy Mode Editor now that it's a fully integrated part of the suite and not just a license add-on. It retains all the features you love and has a much better interface, more control and fully supports gradients. Let's take a look! When you create a new theme, you have the option of creating an "Easy Mode" theme or a "Manual Mode" theme. As you would expect, the manual mode allows full editing of CSS and HTML. Easy mode allows you to edit the theme with an instant preview. Once the new theme has been added you can launch it from the Theme list inside the administrator's control panel by clicking the wand button. You can still edit the HTML templates and custom CSS as normal should you need to. The easy mode editor launches in a new browser tab or window (depending on your browser's settings). The floating palette overlay in IP.Board 3 was a little cumbersome as it took up a fair amount of room and you had to move it out of the way to view your changes. In IPS 4, we've made this a fixed sidebar which means that it doesn't have to reload when you navigate through the suite. I've cropped out most of the public display as we're not quite ready to reveal that yet! You can quickly colorise your new theme with the Colorize option. This chromatically changes the main colors of the suite quickly and easily. A limitation of the Visual Skin Editor in IP.Board 3 was that it couldn't manage gradients so themes had those gradients removed and flat color applied. We now support gradients in IPS 4.0 from the Easy Mode Editor's color editing panel. We previously blogged about the fantastic new theme settings feature in IPS 4.0. Some of these settings are now available to editing in the settings panel. This is a really quick and convenient way to change these settings. Although the new Easy Mode Editor allows you to change most of the colors within the suite, there may be times when you want to write a few lines of custom CSS to tweak the theme a little more to your liking. We've got that covered too. You can leave the theme as an Easy Mode theme for as long as you want. However, you may decide that you want a little more control and need to edit some of the framework CSS that underpins the suite. That's easy to do. Just choose the option to convert it to a Manual Mode theme and you are all set. Never before has theming been so simple! This re-invented tool allows you to quickly edit your theme without fuss and you can instantly see the changes as you make them. We can't wait to see what you do with it! Attached Thumbnails View the full article View the full article
  2. Administrator
    A little history For many years, IP.Board functioned under a relatively normal model of managing a content's status. A topic, for example, was either unapproved or approved. If a moderator did not like the topic, that moderator could delete the topic. This worked well for many years, but improvements in technology and processes necessitated changes. As IPS software evolved we recognized the need to handle all content throughout the entire suite in a uniform manner, so old concepts like the "trash can" forum were no longer relevant when considering how you work with Gallery images or Download Manager files. Additionally, many sites today employ moderators that they do not wish to entrust with the complete ability to irrevocably delete content, yet they still need the moderator to be able to clean up a mess should it occur. A few years ago, we introduced the concept of "soft delete". In practice what this meant was that when a user soft deleted a topic, the topic would be removed from general view for most users, but the topic would not actually be deleted. Administrators could choose who can view soft deleted topics, and who could "un-delete" the soft deleted topic. Some time after this, the way topics were deleted changed as well (which was now referred to as "hard delete" in contrast to "soft delete"). If a topic was truly deleted, it would not actually be immediately removed from the database. Instead, a flag was set and the topic would be deleted from the database at some future point in time by a task. The idea was that you may need to restore something that was deleted by a moderator...but then, the software already supports a soft-delete concept to account for this, right? When clients proved to be confused with all of the terminology (we can't blame you!), "hard delete" was renamed back to "delete", and "soft delete" was renamed to hidden. Nevertheless, behind the scenes we still had all of the various statuses to account for Content is awaiting approval (unapproved) Content is approved and viewable (approved) Content has been hidden or soft deleted (hidden) Content has been deleted but not removed from the database yet by the task (pending deletion) Content has been deleted and is gone permanently (deleted) And how about 4.0? In reviewing the needs of most admins and how the process of managing the content and your moderator roles works in the real world, we decided to simplify and improve this experience. The 4.0 Suite now has just 4 of the above statuses, and they behave in a manner you would expect. If you require moderator approval of new content, when something is submitted it will be in an unapproved status. If you do not require moderator approval of new content, that content will be approved automatically and immediately viewable. If a moderator has permission to hide content, the moderator will be able to hide any content that has been submitted. The moderator may or may not be able to see content that is hidden, and may or may not be able to restore hidden content to viewable status. (All that depends on Admin settings.) If a moderator has permission to delete content, the moderator will be able to delete content that has been submitted. Upon doing so, the content is immediately and permanently deleted. You can configure your moderators such that they are able to hide content, delete content, or both. As with 3.x, moderators who can see hidden content will be able to review all hidden content in the Moderator Control Panel, and those with permission to restore hidden content will be able to do so from here as well. You will not have to worry about the content you are viewing in the Moderator Control Panel is deleted or hidden, as there is only one status now. This is an example of a very minor change that was made after careful consideration of how the software functions and should "flow" when being used in a real-world situation. It is often the case that the smallest changes can make the biggest impact in the eyes of the users. View the full article View the full article
  3. Administrator
    cPanel & WHM software version 11.36 will reach End of Life at the end of January 2014. In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport],11.36 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.36 once it reaches its EOL date. We recommend that all customers migrate any existing installations of cPanel & WHM 11.36 to a newer version (either 11.38 or 11.40). If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more. About cPanel, Inc. Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net. For the PGP-signed message, see 11.36 30 day notice-signed. View the full article
  4. Administrator
    IPS Connect is our in-house cross-site authentication framework utilized by IP.Board in order to facilitate sharing of login credentials on one or more of your websites. While IP.Board supports Connect out of the box (meaning administrators of two or more IP.Board installations can allow users to use the same login credentials on any site in the network with just a few clicks in the ACP), the design of the system allows for third party software to tie in to the network as well. Indeed, one of the more popular addons in our Marketplace is the Wordpress IPS Connect plugin. We have made several changes to IPS Connect in 4.0 that we believe will help you better manage a network of sites designed to share login credentials amongst them. These changes stemmed both from our own internal use of IPS Connect and from direct user feedback in our feedback forums. Fundamental Improvements In IP.Board 3.4, a "master" installation has no knowledge of any "slave" installations that may call to it. Any IP.Board can be set up to call to the master installation and this mater installation will never remember that the slave has called to it in the future. While this is fine for basic login credential checking, the original design of IPS Connect introduces many limitations. For instance, updating your email address on any given site cannot cause the email address to be updated on all sites because there is no central installation that knows about any of the sites in the network. Similarly, logging in to one site cannot log you in to all sites because all of the sites on the network are not actually known at any one location (we do, however, work around this if all sites are on the same domain). Beginning with 4.0, the master installation will "register" any site that connects to it using IPS Connect. This introduces many benefits: If you make a change on any individual site (master or slave), that change can now be propagated to all other sites in the network. Logging in or out of any given site can log you in to all other sites (because all other sites are now "known") Requests can be queued if there are problems You can create a listing of all sites in the network from the master installation Further, we have thought through potential issues and have implemented a queue system where-by if requests to an individual site in the network begin failing then those requests will be queued and reattempted at a later date in the order they were originally received. If failed requests start queuing on the master installation, an ACP dashboard block will show you this and let you attempt to process them manually. If the issue causing the requests to fail has been resolved, the queue can quickly clear out in this manner (vs waiting for the task to clear them out). If the issue is still occurring, however, you will be given some additional information which will be helpful in determining why the requests are failing. Finally, if the site in question has been taken offline and future requests should not be sent to it, you are given the opportunity to unregister the "slave" installation so that the master will no longer communicate with it. More changes propagated We found while using IPS Connect internally that we wanted certain actions to propagate across all sites on the network but IPS Connect did not handle this, and we subsequently had to develop custom hooks in-house to account for the missing functionality. As a result, with 4.0 IPS Connect will now manage a few additional capabilities. Banning As of 4.0, if you permanently ban a user from the admin control panel, the ban will be copied to the rest of the sites in the IPS Connect network. Bans are only propagated to other sites if initiated via the admin control panel as a security precaution. It is probable in many cases that you do not want moderator actions on one site affecting accounts on another site, so front-end bans will not be copied to other sites. Deleting As of 4.0, deleting users from one site in an IPS Connect network will now cause the user to be deleted on all sites in the network. Merging Similarly, as of 4.0 when you merge two users on a site in an IPS Connect network, the users will be merged on all sites in the network. Password Changes As of 4.0, password changes are fully propagated to all sites in an IPS Connect network. The net effect will be no different than IP.Board 3.4 in this regard, unless you later disable IPS Connect on a site in the network - in this case, the last used password will still be valid on that site, rather than some random password potentially stored on a "slave" installation 5 years ago that the user cannot remember. Cross Domain Logins (and Logouts) Beginning with 4.0, IPS Connect will now support logging in and out across different domains. Cookie restrictions (and the fact that the master installation did not register and/or remember any of the slave installations) prevented this capability with 3.4.x, so while the login credentials could be shared across domains, signing in to one installation did not sign you in to any other installation automatically (unless they were on the same domain). Similarly if you logged out of an installation you were not automatically logged out of any other installation in 3.4.x. As of 4.0, if you sign in to an installation (whether it is the master or an individual slave application), you will be redirected to the master installation, then redirected to each slave application in turn, and finally redirected back to your original destination. This is all very seamless to the end-user and largely unnoticeable. Logging out will, similarly, redirect you to each application to log you out of that application, bypassing security restrictions applied to cookies in a multi-domain environment. Wrapping Up Just as with IP.Board 3.4, other applications can tie in to the IPS Connect network, either as a master installation or as a slave installation. IPS Connect support has otherwise been greatly improved and now offers a much wider range of functionality, a more robust built-in SSO system, and more reliability when problems do occur via the new request queuing system. It should be noted that IPS Connect with 4.0 is NOT compatible with IP.Board 3.4.x, and sites will need to "re-register" with the master so that it can know about them. That minor limitation aside, we believe you will enjoy the great improvements coming in the next release! View the full article View the full article
  5. Administrator
    Back in June, we announced several updates to our proprietary Spam Service, which includes influences from existing spam mitigation services (Project Honeypot and Stop Forum Spam). Today, we are announcing the release of more options to help you fine-tune the spam service for your site. These features are being released as a part of our new Enterprise Spam Service package, which is available now. Weighting The first feature added, as a part of this new package, is “Weighting.” With this feature, you will be able to adjust how influential the Spam Service is against registrations to your site. As you can see, the slider here presents several options to help fine-tune the service for your site. The options presented are fairly straightforward. If you find your site to be a heavy target of spam, you can adjust the slider to Strict or Very Strict as a means of telling the spam service that registrations to your site should be evaluated more vigorously than normal, and treat all registrations with higher caution than normal. Conversely, if you find the spam service to be too rough on registrations to your site, you can adjust the slider to Loose or Very Loose. Doing so will tell the spam service to take a step back on registrations, and treat them with less verbosity than normal. And finally, the middle option (Normal) will simply tell the spam service to act as it does now, with no preferential influence one way or another. Whitelisting / Blacklisting Another feature added as the ability to define your own custom White and Black Lists for your site, providing even more granular control in addition to weighting. First, you can define your own custom Whitelist entries. Using this interface, you will be able to add any Email Address or IP Address to your own custom whitelist. If a member registers, and is using any IP Address or Email Address defined here, then they will automatically be flagged as Not a Spammer, and no action taken against the account by the spam service. This is useful for Administrators, Moderators, and Developers who frequently test registrations on their own sites, allowing them to do so without turning the service off. Further, you can also define a custom Blacklist. If you find that the spam service may not be catching a newly released spammer fast enough, and need to prevent them from accessing the site immediately, then you may add their email address or IP Address to the Blacklist. Once added, any registrations from either of those will be flagged as a spammer and will be denied registration (depending on your community settings for Code Level 4). Calls from multiple origins As mentioned in the previous entry, this service also allows administrators to use the spam service in Load Balanced and Cloud environments with ease, using the same license key. The Enterprise Spam Mitigation is now available for $100/6 months as an additional add-on to your license. Please feel free to contact Sales for any additional information regarding this new service. Attached Thumbnails View the full article View the full article
  6. Administrator
    www.exactservers.com/chat/?_popup=1
  7. Administrator
    Case 84681 Summary Arbitrary file read for ACL limited reseller accounts via XML-API. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM XML and JSON APIs allowed arbitrary files to be read through the “getpkginfo” API call. By sending a crafted input to this call, resellers with the “viewglobalpackages” ACL could read the contents of files accessible only to root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.40.1.7 & Greater 11.40.0.31 & Greater 11.38.2.15 & Greater 11.36.2.12 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/ For the PGP-signed message, see TSR-2013-0012-FullDisclosure. View the full article
  8. Administrator
    cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels of Important. Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels. If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience. RELEASES The following cPanel & WHM versions address all known vulnerabilities: * 11.40.1.7 & Greater * 11.40.0.31 & Greater * 11.38.2.15 & Greater * 11.36.2.12 & Greater The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net. SECURITY ISSUE INFORMATION During a routine code audit, an issue was discovered by the cPanel Product Security team. Later the same issue was reported by an external security researcher. Due to an unfortunate set of circumstances, the external researcher disclosed information about the issue on a public website. While cPanel does not believe the vulnerability is being actively exploited, we felt it to be in our customers best interest to publish an unscheduled security release. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issue. Additional information is scheduled for release on December 23, 2013. For information on cPanel & WHM Versions and the Release Process, read our documentation at: http://go.cpanel.net/versionformat For the PGP-signed message, see TSA-2013-0012-signed View the full article
  9. Administrator
    <p>Case 60890</p> <p>Summary</p> <p>A reseller with limited privileges is allowed to install SSL virtualhosts on arbitrary IPs.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>A reseller account with ACL permission to install SSL certificates could install certificates and matching virtualhosts on IP addresses that belonged to accounts that did not belong to the reseller. This would allow a malicious reseller account to capture web traffic intended for other accounts on the system.</p> <p>Credits</p> <p>These issues were discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.36.2.10 & Greater</p> <p>The 11.38 and 11.40 releases of cPanel were not vulnerable to this issue due to unrelated changes in the SSL certificate management logic of cPanel & WHM.</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 63541</p> <p>Summary</p> <p>Arbitrary code execution via user supplied translatable phrases.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>Authenticated remote cPanel, WHM, and Webmail users have the ability to call API commands appropriate for their access level. Many API commands expand input arguments looking for translatable strings and other variable substitutions. It was found that the Locale::Maketext module, as used in cPanel’s translation system, allowed callers to specify a custom failure handler via a crafted translation. A malicious authenticated user could leverage this flaw to execute arbitrary code with permissions that exceeded their normal access level.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 69517</p> <p>Summary</p> <p>World-writable Counter directory allowed arbitrary code execution.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p> <p>Description</p> <p>An unnecessary directory at /usr/local/cpanel/share/Counter, installed by the wwwcount RPM provided with cPanel, retained world-writable permissions on some systems. The location of this directory inside of cPanel & WHM’s trusted paths allowed a local attacker to load arbitrary code into cPanel processes under some circumstances.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 71125</p> <p>Summary</p> <p>Arbitrary file ownership change via cPanel branding system.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>A bug in the sprite generation code for the branding subsystem changed the ownership of files in paths under the reseller’s control to the reseller’s UID. The change in ownership was performed automatically during the nightly updates while running with the effective UID and GID of root. A malicious reseller account could leverage this flaw to take control of arbitrary files on the system.</p> <p>Credits</p> <p>These issues were discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.38.2.13 & Greater</p> <p>The 11.36 and 11.40 releases of cPanel were not vulnerable to this issue. The vulnerable functionality was introduced in cPanel & WHM’s 11.38 release and fixed due to unrelated changes in the original releases of 11.40.</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 73125</p> <p>Summary</p> <p>After multiple security token failures, session credentials were not invalidated.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Minor to this vulnerability.</p> <p>Description</p> <p>The security tokens used to prevent XSRF (Cross-Site Request Forgery) attacks were vulnerable to brute-force attempts due to a failure to limit the number of invalid token attempts. An attacker who could make a very large number of XSRF attempts could use this flaw in an attempt to brute force the security token.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 73193</p> <p>Summary</p> <p>Unsafe disclosure of security token during session based login.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Minor to this vulnerability.</p> <p>Description</p> <p>The URL used to perform logins could return a valid security token with only a valid session identifier supplied instead of a username and password. An attacker with the ability to capture a valid session identifier could use this flaw to acquire a new, valid security token that could be used to authenticate with the captured credentials. Such an attack would additionally invalidate the existing token for that session.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 74333</p> <p>Summary</p> <p>The session credentials were disclosed during reseller override logins.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>The session cookie used by a reseller during a reseller override login to a cPanel account was disclosed to the cPanel account via the HTTP_COOKIE environment variable. A malicious local cPanel user could leverage this vulnerability to enter WHM using the reseller’s captured credentials.</p> <p>Credits</p> <p>These issues were discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>The 11.40 release of cPanel was not vulnerable to this issue. The vulnerable functionality was fixed due to unrelated changes in the original releases of 11.40.</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 78045</p> <p>Summary</p> <p>Stored XSS vulnerability in WHM Daily Process Log screen.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>Output filtering in the WHM Daily Process Log interface did not properly sanitize the names of processes that caused high CPU load. A local attacker could create a process with a high load and a name containing malicious JavaScript intended to execute in the browser of any WHM account that viewed the daily process summary.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 78089</p> <p>Summary</p> <p>Password disclosure during forced cPAddons upgrade.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>A root or reseller account performing an upgrade of a cPanel account’s cPAddons Site Software installations directly from WHM disclosed the REMOTE_PASSWORD environmental variable to the cPanel account under some circumstances. The variable was only disclosed when the “cgihidepass” TweakSetting was disabled on the server. By default, this TweakSetting is enabled.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 79277</p> <p>Summary</p> <p>Arbitrary file read vulnerability in WHM Edit DNS Zone interface.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Minor to this vulnerability.</p> <p>Description</p> <p>The WHM Edit DNS Zone interface allowed parts of arbitrary files to be read through the error message produced when an $include DNS zone directive led to an invalidly-formatted file. With a specially crafted DNS zone entry, resellers with the “edit-dns” ACL could read parts of the contents of files accessible only to root from the output of that error message.</p> <p>Credits</p> <p>This issue was discovered by Rack911.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 80113</p> <p>Summary</p> <p>cPHulk injection via crafted SSH connections.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p> <p>Description</p> <p>cPHulk, a service for preventing brute-force authentication attempts, was vulnerable to a protocol injection attack via specially crafted usernames during SSH authentication. This flaw would allow a remote unauthenticated attacker to block or unblock arbitrary IP addresses and accounts from connecting to all cPHulk-managed services on the system.</p> <p>Credits</p> <p>This issue was discovered by an anonymous researcher.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 80633</p> <p>Summary</p> <p>Arbitrary file write via X3 countedit.cgi.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>An obsolete version of the countedit.cgi script inside the cPanel X3 theme directory contained a path traversal vulnerability allowing arbitrary files to be written. This script was only executable by cPanel accounts that were configured to use a theme other than X3 or by cPanel accounts configured to use the X3 theme after a clone of the X3 theme was created by the system administrator. The obsolete copies of countedit.cgi and count.cgi inside the X3 theme directory have been removed.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Cases 81373</p> <p>Summary</p> <p>Bandmin passwd file stored with world-readable permissions.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Minor to this vulnerability.</p> <p>Description</p> <p>The permissions of the Bandmin password file were set to 0644 by default. This allowed any user on the system to read the username and hashed password required to view Bandmin’s stored log data. The password stored in this file was encoded with DES-crypt.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 81377</p> <p>Summary</p> <p>Multiple XSS vulnerabilities found in Bandmin.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p> <p>Description</p> <p>Multiple output filtering errors in the Bandmin bandwidth log viewer interface allowed JavaScript inputs to be returned to the browser without proper filtering. An attacker who could cause a user with permission to view bandwidth logs to visit a specially crafted URL could execute arbitrary JavaScript code in that user’s browser.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 81429</p> <p>Summary</p> <p>URL filtering flaws allowed access to restricted resources.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>Flaws in the path resolution of URLs supplied to cpsrvd with HTTP requests allowed the bypassing of URL based access control checks in the cPanel, WHM, and Webmail interfaces. This allowed, for example, an attacker with credentials for a Webmail virtual account to access phpMyAdmin and phpPgAdmin with the privileges of the cPanel account that owned the Webmail account.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 81641</p> <p>Summary</p> <p>Path traversal flaw allows arbitrary code execution for restricted cPanel accounts.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p> <p>Description</p> <p>Due to an incorrect ordering of input filters, the UI::dynamicincludelist and UI::includelist cPanel API 2 calls were vulnerable to a path traversal attack. A restricted cPanel account could leverage this flaw to read files or execute arbitrary code that other account restrictions, such as JailShell or demo mode, would normally prevent.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 81885</p> <p>Summary</p> <p>Multiple self-XSS vulnerabilities found in cPanel.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Minor to this vulnerability.</p> <p>Description</p> <p>Output filtering errors in the Manage Redirection functionality for Addon Domains and Subdomains, as well as the GnuPG Keys interfaces allowed JavaScript inputs to be returned to the browser without proper filtering.</p> <p>cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.</p> <p>Credits</p> <p>These issues were discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 82309</p> <p>Summary</p> <p>Insecure storage of Logaholic session files was found.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>Logaholic session files were stored in the world-writable /tmp directory. A local attacker with access to the cPanel Logaholic interfaces could create a session file in this directory with a crafted payload intended to execute arbitrary code as the cpanel-logaholic user as the session was loaded by the Logaholic interfaces inside cPanel. Logaholic now uses a non-world-writable directory for session data, and as a precaution, database caching.</p> <p>Credits</p> <p>This issue was discovered by Rack911.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 82725</p> <p>Summary</p> <p>XSS vulnerability found in YUI 2.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p> <p>Description</p> <p>The uploader.swf file in YUI 2, which is included with cPanel & WHM, is vulnerable to an XSS attack due to insufficient filtering of inputs. This attack has been assigned CVE-2013-6780. All Flash files have been removed from the copy of YUI 2 shipped with cPanel & WHM, as they are unneeded. These files were accessible in the cPanel, WHM, and Webmail interfaces.</p> <p>Credits</p> <p>This issue was discovered upstream by a security researcher called @soiaxx.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 82733</p> <p>Summary</p> <p>Database grant files stored with world-readable permissions.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Important to this vulnerability.</p> <p>Description</p> <p>Changes to the functionality that stores data and cache files resulted in cPanel & WHM’s files for storing database grants becoming world-readable. This flaw allowed all accounts on the system to access the MySQL and PostgreSQL grant statements for other cPanel users on the system. These grant statements contained MySQL and PostgreSQL usernames and hashed passwords.<br />Credits</p> <p>This issue was discovered by Rack911.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater</p> <p>The 11.36 release of cPanel was not vulnerable to this issue.</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 83501</p> <p>Summary</p> <p>Disallow g in MySQL GRANT statements during account restores.</p> <p>Security Rating</p> <p>cPanel has not assigned a Security Level to this issue.</p> <p>Description</p> <p>g has been added to the list of disallowed strings for MySQL grant restores. We would like to stress that this does not make restoration of packages from untrusted sources safe.<br />Credits</p> <p>This issue was reported by Rack911.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>Case 83929</p> <p>Summary</p> <p>A cross-account XSRF attack against reseller override logins was possible via goto_uri.</p> <p>Security Rating</p> <p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p> <p>Description</p> <p>Reseller accounts that log into the cPanel accounts they own using resellers override authentication have the ability to switch back to WHM or switch to the cPanel interfaces for other cPanel accounts they own. This functionality goes through special /xfer URLs inside cpsrvd. The /xfer URLs also permit specifying an optional destination URL on the other side of the switch between accounts and interfaces though a “goto_uri” query parameter. A malicious cPanel user could conduct XSRF attacks against a reseller logged into their account to combine an /xfer to a different account with a goto_uri destination that caused configuration changes inside the other account. This vulnerability has been addressed by limiting use of the goto_uri parameter to account and interface switches where privileges are being lowered.</p> <p>Credits</p> <p>This issue was discovered by the cPanel Security Team.</p> <p>Solution</p> <p>This issue is resolved in the following builds:</p> <p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p> <p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p> <p>For the PGP-signed message, see <a title="TSR-2013-0011-FullDisclosure" href="http://cpanel.net/wp-content/uploads/2013/12/TSR-2013-0011-FullDisclosure.txt" target="_blank">TSR-2013-0011-FullDisclosure</a>.</p> View the full article
  10. Administrator
    SUMMARY cPanel, Inc. has released EasyApache 3.22.25 with PHP versions 5.3.28, 5.4.23, and 5.5.7. This release addresses PHP vulnerabilities CVE-2013-4073 and CVE-2013-6420 by fixing bugs in the OpenSSL module. We encourage all PHP users to upgrade to PHP versions 5.3.28, 5.4.23, and 5.5.7. AFFECTED VERSIONS All versions of PHP 5.3 before 5.3.28. All versions of PHP 5.4 before 5.4.23. All versions of PHP 5.5 before 5.5.7. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2013-4073 – MEDIUM PHP 5.3.28 Fixed bug in the OpenSSL module related to CVE-2013-4073. CVE-2013-6420 – MEDIUM PHP 5.3.28 Fixed bug in the OpenSSL module related to CVE-2013-6420. PHP 5.4.23 Fixed bug in the OpenSSL module related to CVE-2013-6420. PHP 5.5.7 Fixed bug in the OpenSSL module related to CVE-2013-6420. SOLUTION cPanel, Inc. has released EasyApache 3.22.25 with updated versions of PHP 5.3, 5.4, and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP. REFERENCES http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4073 http://www.php.net/ChangeLog-5.php#5.3.28 For the PGP-signed message, see EA3-CVE-3-22-25-signed. View the full article
  11. Administrator
    cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels ranging from Minor to Important. Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels. If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience. RELEASES The following cPanel & WHM versions address all known vulnerabilities: * 11.40.1.3 & Greater * 11.40.0.29 & Greater * 11.38.2.13 & Greater * 11.36.2.10 & Greater The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net. SECURITY ISSUE INFORMATION The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 22 vulnerabilities in cPanel & WHM software versions 11.40, 11.38, and 11.36. Additional information is scheduled for release on December 18, 2013. For information on cPanel & WHM Versions and the Release Process, read our documentation at: http://go.cpanel.net/versionformat For the PGP-signed message, see TSA-2013-0011. View the full article
  12. Administrator
    cPanel & WHM software version 11.36 will reach End of Life in January 2014. In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport],11.36 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.36 once it reaches its EOL date. We recommend that all customers start planning to migrate any existing installations of cPanel & WHM 11.36 to a newer version (either 11.38 or 11.40). If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgable support team can provide recommendations, migration assistance, and more. About cPanel, Inc. Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net. For the PGP signed message, see 11.36 60 day notice-signed. View the full article
  13. Administrator
    We are releasing patches for IP.Board 3.3.x and IP.Board 3.4.x to address two cross site scripting issues recently reported to us. IP.Board takes precaution against cross site scripting issues by ensuring sensitive forms and buttons have a unique key in them and also by ensuring that sensitive cookie data is not readable by javascript. However, we feel that it is in our clients best interest to have these issues resolved. To apply the patch Simply download the attached zip for your IP.Board version and upload the files to your forum server. You do not need to run any scripts or the upgrade system. IP.Board 3.3.x ipb33_patch_dec_13.zip 36.27KB 12 downloads IP.Board 3.4.x ipb34_patch_dec_13.zip 53.02KB 36 downloads If you are an IPS Community in the Cloud customer running IP.Board 3.3 or above, no further action is necessary; we have already automatically patched your account. If you are using a version older than IP.Board 3.3, you should contact support to upgrade. If you have installed or upgraded to IP.Board 3.4.6 today, no further action is necessary; we have already updated the main download zips. We extend our thanks to indistic for notifying us of the BBCode issue and Artur Czyż ( http://www.arturczyz.pl ) for notifying us of the search issue. View the full article
  14. Administrator
    In order to show its appreciation for security researchers who follow responsible disclosure principles, cPanel, Inc. is offering a monetary reward program for researchers who provide assistance with identifying and correcting certain Qualifying Vulnerabilities within the scope of this program. Software Covered by this Program - ——————————– * The cPanel & WHM and EasyApache software. * Configuration, setup, and customizations of third-party applications performed by the cPanel & WHM and EasyApache software. Software not Covered by this Program - ———————————— * Third-party applications and software (including those distributed with, used by, or integrated into cPanel & WHM or EasyApache.) * Vulnerabilities that exist in the operating system onto which cPanel & WHM is installed. * Vulnerabilities in software produced or maintained by companies owned by or affiliated with cPanel. Vulnerabilities in this software should be reported to these companies directly and are not within the scope of this bounty program. Responsible Disclosure of Vulnerabilities in cPanel & WHM - ——————————————————— To be eligible for a bounty under this program, you must be the first to report a Qualifying Vulnerability within the scope of this program. You must also adhere to cPanel’s Responsible Disclosure policy. This means: * After discovering a vulnerability in the covered software, you must submit the initial report to security@cpanel.net. Reports of vulnerabilities submitted via other channels may not be considered eligible for any bounty reward. * cPanel’s Security Team will evaluate your report to determine whether or not it is a vulnerability in the covered software. * cPanel’s Security Team may ask for additional clarification from the reporter, assistance in replicating the vulnerability, or assistance in determining the best course of action for mitigating the vulnerability. The reporter is expected to provide timely responses to these inquiries. * cPanel’s Security Team will implement fixes for the vulnerability, if necessary. * cPanel’s Security Team will distribute the fixes to customers. * After sufficient time has passed for our customers to upgrade to fixed versions of our software, cPanel will release a detailed disclosure statement that explains the scope of the vulnerabilities that have been addressed. * After the detailed disclosure has been released, cPanel will provide a reward to the researchers who have maintained confidentiality with cPanel throughout the process. * cPanel will not discuss whether a vulnerability is within the scope of this program or any payout terms before the full Responsible Disclosure process has been completed. Examples of Qualifying Vulnerabilities - ————————————– Any design or implementation issue within cPanel & WHM that substantially affects the confidentiality or integrity of user data or the system is likely to be within the scope of this program. Common examples include: * Cross-Site Scripting * Cross-Site Request Forgery * Privilege escalation * Authentication or Authorization flaws * Information disclosure flaws that allow users with limited privileges to view data they should not have access to * SQL injection flaws that cross privilege boundaries Examples of Non-Qualifying Vulnerabilities - —————————————— Although cPanel assesses each report on a case-by-case basis, some reports simply do not qualify for reward. Common examples of reports that typically do not qualify for reward include: * Execution of code or JavaScript supplied in themes, translations, and brandings that were installed by accounts with appropriate authorization. * Local Denial of Service attacks. cPanel may consider vulnerabilities within this category to merit a bounty if they allow users with very limited privileges to disable services without sustained effort. * Logout Cross-Site Request Forgery attacks. * Flaws which require the use of out of date browsers, plugins, operating systems, or other client-side applications. * Flaws which exist only in unsupported versions of cPanel & WHM. * Vulnerabilities that are only exploitable when security controls in the software are intentionally disabled. * Vulnerabilities that require physical access to the systems being attacked. * Any actions performed intentionally by a user with proper authorization. * Any vulnerabilities that require an element of social engineering to succeed. * Aspects of the software that are not directly exploitable, but constitute potential hardening measures. While we appreciate input about methods to harden cPanel & WHM, such discussions are not within the scope of this program. * Behaviors or vulnerabilities within third-party software shipped with or used by cPanel & WHM that has not been modified by cPanel. Confidentiality During the Responsible Disclosure Process - ——————————————————— cPanel strives to address vulnerabilities in a timely and responsible fashion in order to protect our customers from unnecessary risk. We expect researchers to share this goal and maintain full confidentiality of any vulnerabilities they discover until these flaws are fully remediated and responsibly disclosed. Failure to maintain confidentiality with cPanel regarding a vulnerability during the full timeframe required for cPanel to evaluate, fix, and disclose the vulnerability will be considered a breach of trust by the researcher and will result in the loss of any bounty that would otherwise be due for the discovery of the vulnerability. cPanel considers ANY public discussion of a vulnerability, even hints at the existence of such a vulnerability, to be a breach of these confidentiality requirements. Further, sharing information regarding a vulnerability with any third-parties during the time required for cPanel to address the vulnerability will also be considered a breach. Failure to maintain confidentiality during the resolution of a vulnerability will result in disqualification of the specific vulnerability disclosed and may result in the reporter being barred from any future rewards under this program. Reward Eligibility - —————— Any tax consequences resulting from the payment of a reward are the recipient’s sole responsibility. Depending on the recipient’s country of residency and citizenship, additional restrictions (such as international and local laws) may limit the ability of a reporter to receive a reward or impose additional requirements on cPanel or the reporter. When direct payment is not possible or desired, reporters of qualifying vulnerabilities will be given the option to donate the bounty reward to a non-profit charity of their choosing from a list of eligible charities provided by cPanel. cPanel, in its sole discretion, shall determine the eligibility of all submissions and amount of any final reward offered. Additionally, cPanel may discontinue the reward program at any time with or without notice. cPanel, Inc. staff and their family, friends, neighbors, associates, etc., are not eligible to receive any rewards under this program. In cases where multiple parties (including cPanel itself) independently discover the same vulnerability, only the first party to discover the vulnerability will be credited for the finding or awarded any bounty under this program. cPanel likes to give public recognition to individuals and companies that assist with fixing security vulnerabilities, but understands that some vulnerability reporters do not desire public acknowledgement. If you desire to remain anonymous, meaning no public mention of you or your company, please let us know. For the PGP-signed message, see bounty-program. View the full article
  15. Administrator
    We have seen a huge increase in people switching to us over the last year or two and want to take advantage of this momentum and offer an exciting conversion promotion. But first some information... Our Pre-Packaged Converters Our conversion scripts make it very easy to convert your existing community to the IPS Community Suite. The process is very simple: just install IPS, upload the converters, and then tell the converters what software you're coming from. It will ask you a few questions and then copy over your data to our format. For many systems we even include scripts to 301 redirect your old links so internal references and search engines don't get lost! Our converters are free to use and well-tested with thousands of successful conversions. Of course converting is not an exact science and things change all the time so we are always releasing updates to make them better and faster. Need some help? But some clients really do not have the desire to take on the process of converting data themselves. In this case we do offer professional services for a fee to have us do it for you. Normally these fees range from $500 - $1000 but for the month of December we are offering a flat-rate fee of $350 to convert your community to IPS if it is on the list of one of our pre-made converters. Just contact sales@invisionpower.com to get started. Even better news: if you're converting to IPS Community in the Cloud we will convert your existing database at no cost! Contact sales@invisionpower.com for full information. Converting from something else? If your software is not listed on our pre-made converter list we can still assist in converting. Maybe you're using something that's old, niche, or even custom. We have a lot of experience converting people to our platform and would love to assist you. Contact sales@invisionpower.com with questions. What about 4.0? If you follow our blog entries you know we are hard at work on the next version of our software: IPS Social Suite 4.0. When version 4.0 is released if you have an active license you will of course get access at no extra charge! Upgrading from 3.4 to 4.0 will be very easy and our staff can even do it for you if you like. vBulletin Converter Update Over the last several months we have seen a huge increase in interest from vBulletin users wanting to convert to IPS. As we are asked so often, we want to highlight some of the key reasons to switch to us. We do not make you re-buy with each new major version release. So long as your IPS license is active you get access to new versions. We do not limit your support ticket access or charge extra fees. With an active license you get private access to our support staff. Our staff will install our software on your server at no extra charge. Our staff will even install major upgrades on your server at no extra charge. We have a whole community suite: forums, blog, gallery, CMS, chat, ecommerce, support, and with the flexibility of our platform the possibilities are endless. The IPS Marketplace is a great resource for our clients to get enhancements for their community. Think Apple's AppStore but for IPS products. IPS makes community software and services. That's all we do and our focus is helping you succeed not working against you. Ready to convert? Have Questions? You can download our free converters to give them a try. If you have questions about IPS before purchasing please email sales@invisionpower.com and we would be happy to assist. And as a reward for reading through the end there's one more thing: use the coupon code SWITCH through the end of December for 10% off your order. View the full article View the full article
  16. Administrator
    12/3/2013 Houston, TX - cPanel, Inc. is thrilled to release cPanel & WHM software version 11.40, which is now available in the STABLE tier. cPanel & WHM version 11.40 offers support for IPv6 and 1:1 NAT, an API Shell, and more. IPv6 Support cPanel & WHM is now IPv6-enabled with dual-stack support, allowing customers to add IPv6 or IPv4 to any account. This feature prepares our customers for future demand. 1:1 NAT Support cPanel & WHM version 11.40 provides 1:1 NAT, giving customers the ability to support a broader range of hosting environments. API Shell In 11.40, cPanel & WHM includes an API Shell, enabling customers to run and troubleshoot API calls interactively through the cPanel & WHM user interfaces. This feature helps our customers better understand API calls. Detailed information on all cPanel & WHM version 11.40 features can be found at http://docs.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists. View the full article
  17. Administrator
    test2
  18. Administrator
    Testing notifications
  19. Administrator
    IPS is happy to offer 15% off starting now through Monday on all new purchases for both new and existing clients! This includes all software licenses and Community in the Cloud hosting. This is a great time to add on those extra Suite applications you're missing or to go ahead and try out IPS if you have always been considering us. Just use the coupon code HOLIDAY2013 at checkout. Conversion Promotion Coming Soon... Are you using another community software and thinking of switching to IPS? We will be posting a great conversion promotion on Tuesday for those wanting help in converting their community data to our format. So take advantage of the 15% coupon above to order your licenses or hosting services now and then stay tuned for our conversion promotion next week! View the full article View the full article
  20. Administrator
    If you have recently moved your forums or other software from a folder to the root directory, you can put this in an .htaccess file in your old folder to redirect all traffic and retain the links to the new location. In this example the old folder would be "forum" and of course edit www.mysite.com to your own url. Options +FollowSymLinks RewriteEngine On redirect 301 /forums http://www.mysite.com
  21. Administrator
    http://youtu.be/B4hMT3KgX20#aid=P62NbPddZIA http://youtu.be/B4hMT3KgX20#aid=P62NbPddZIA http://youtu.be/B4hMT3KgX20#aid=P62NbPddZIA http://youtu.be/B4hMT3KgX20#aid=P62NbPddZIA
  22. Administrator
  23. Administrator
    SCOTTSDALE, Ariz. (Nov. 20, 2013) – GoDaddy, the world’s largest Web hosting provider, has revamped its Linux Web hosting lineup, with the addition of cPanel & WHM, the popular Web hosting management software. In addition, customers are also benefitting from a new Web hosting architecture that provides a fast and reliable experience and new Web hosting plans, which enable customers to find a solution that meets their specific needs. “After studying the market and our customer needs, we went to work with cPanel and CloudLinux to create an optimized solution that provides a market-leading customer experience,” said GoDaddy Product Manager Web Hosting Ben Gabler. “GoDaddy is focused on bringing the best and most reliable services to our customers around the world.” cPanel enables users to quickly and easily manage a number of potentially-complicated items on a Web hosting account, including managing MySQL databases, adding domain names, installing applications, tracking stats and setting up Cron jobs. For example, using automated installs powered by Installatron, customers can have a full-blown WordPress website in a matter of minutes, without coding or walking through a potentially complicated install process. “When GoDaddy talked to us about adding cPanel to their main Linux Web hosting line, we admired their passion for helping customers and couldn’t wait to get started,” said cPanel Vice President of Operations Aaron Phillips. “The new team at GoDaddy is hyper focused on figuring out how to create the best possible customer experience, whether it’s for a Web pro or a small business owner. GoDaddy is willing to do whatever it takes to get this right, and we share their excitement to help grow the small business market.” GoDaddy Linux Web hosting runs on CloudLinux and offers the flexibility and ease-of-use customers expect. Additionally, the Web hosting architecture has increased the usage of CPU and RAM in a low densification environment – giving users additional resources that cause pages to load faster and more consistently. “GoDaddy’s scale for Linux Web hosting is unmatched in the industry and they have innovated based on customer needs to increase their speed and reliability,” said CloudLinux CEO Igor Seletskiy. “GoDaddy is going global, in the coming months, we are providing hosting across 60 countries in 30 different languages,” said GoDaddy Senior Vice President and General Manager Hosting Jeff King. “cPanel is helping provide a universal experience while CloudLinux is providing a solid foundation. This isn’t the finish line … we’re just getting started.” GoDaddy now serves more than 12 million paying customers worldwide and is the largest Web hosting and domain name registrar on the planet. GoDaddy leverages its award-winning talent and personalized approach to help small business owners create their digital identity, build websites and grow online. To learn more about GoDaddy Web hosting with Linux visit, http://www.GoDaddy.com/Hosting. To find out how GoDaddy can help grow your small business online, visit: www.GoDaddy.com. Connect with GoDaddy on Facebook & Twitter. Read why our customers recommend GoDaddy. Contact Nick Fuller, PR Director 480.505.8800 x4435 PR@GoDaddy.com or Google+ View the full article
  24. Administrator
  25. Administrator
    If you are seeing issues with quoting, copy & paste with win 8.1 and IE 11, here is a work around for this on version 3.4.6 Edit the global template in your skin, Replace the following code <meta http-equiv="X-UA-Compatible" content="IE=edge" /> With this code below <php> $ie11fix = "edge"; if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'Trident/7') !== false)) $ie11fix = "EmulateIE10";</php><meta http-equiv="X-UA-Compatible" content="IE={$ie11fix}" /> Then save, clear your browser cache, and you should be set.
×
×
  • Create New...