Administrator

cPanel & WHM software version 11.36 will reach End of Life in January 2014. In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport], 11.36 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.36 once it reaches its EOL date. We recommend that all customers start planning to migrate any existing installations of cPanel & WHM version 11.36 to a newer version (either 11.38 or 11.40). If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more. About cPanel, Inc. Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net. For the PGP-signed message, see 11.36 90 day-signed. View the full article

Replace this file with the attached patched file /admin/applications/core/modules_admin/tools/licensekey.php licensekey.php

11/5/2013 Houston, TX - cPanel, Inc. is thrilled to release cPanel & WHM software version 11.40, which is now available in the RELEASE tier. cPanel & WHM version 11.40 offers support for IPv6 and 1:1 NAT, an API Shell, and more. IPv6 Support cPanel & WHM is now IPv6-enabled with dual-stack support, allowing customers to add IPv6 or IPv4 to any account. This feature prepares our customers for future demand. 1:1 NAT Support cPanel & WHM version 11.40 provides 1:1 NAT, giving customers the ability to support a broader range of hosting environments. API Shell In 11.40, cPanel & WHM includes an API Shell, enabling customers to run and troubleshoot API calls interactively through the cPanel & WHM user interfaces. This feature helps our customers better understand API calls. Detailed information on all cPanel & WHM version 11.40 features can be found at http://docs.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists. View the full article

<p>This notification announces the End of Life for cPanel & WHM version 11.34.</p> <p>The 12-month lifetime of cPanel & WHM version 11.34 ends now. The last release of cPanel & WHM 11.34, being 11.34.2.8, will remain on our mirrors indefinitely. You may continue using this last release, but we will not release any further updates for version 11.34 going forward. Older releases of cPanel & WHM 11.34 will be removed from our mirrors.</p> <p>cPanel strongly recommends that you migrate any existing installations of cPanel & WHM version 11.34 to a newer version (either 11.38 or 11.40).</p> <p>If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgable support team can provide recommendations, migration assistance, and more.</p> <p>For detailed information regarding Long Term Support, visit: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport.</p> <p>About cPanel, Inc.<br />Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.</p> <p>For the PGP signed message, see <a href="http://cpanel.net/wp-content/uploads/2013/11/2013-11.34-EOL-Final-signed.txt">2013-11.34-EOL-Final-signed</a>.</p> View the full article

http://www.jibjab.com/view/PgyVp8nKQOuaAmhcXRnAnQ?utm_campaign=URL+Copy&utm_content=super_freak&utm_medium=Share&utm_source=JibJab&cmpid=jj_url

In IP.Board 3.x, we have a setting group where you can specify some global advertisement HTML. You can enable and disable advertisements, and you can specify code to insert into the header and footer of the page. For the forum index, forum listings and topic view pages, you can override these header and footer ad codes, and you can specify advertisement code to insert into a couple of other areas specific to those pages. If you install IP.Nexus, this setting group redirects you to the IP.Nexus advertisement control panel where you can effectively do the same thing, but with a few more options (including click and impression tracking, advertisement image uploading, automatic cutoffs for advertisements, and more). We felt that the entire system and process was too basic when IP.Nexus was not installed, and too disorienting once you do install IP.Nexus. This setting group suddenly redirects you to another application and configuring the advertisements is an entirely different experience prior to installing this application. Subsequently, we have done the only logical thing and consolidated the two systems and improved the functionality. (Please be aware that, as with all early screenshots of the 4.0 Social Suite, the interface displayed in the following screenshots is very much subject to change before release) Advertisement Configuration First and foremost, we have consolidated the functionality provided by IP.Board and IP.Nexus in previous software releases into one control panel. Now, whether you install IP.Nexus or not, you can have powerful advertisement management at your fingertips. Installing IP.Nexus still provides additional enhanced functionality, such as the ability to sell advertisements to your members. You can now have both HTML and image-based advertisements available, and you can create multiple advertisements for the same "location" (more on this in a minute). There is a setting available to tell the software how to pick which advertisement to show if more than one is configured for a single area (options include picking one at random, showing the newest advertisement, showing the oldest advertisement, and showing the advertisement with the least number of impressions). You can configure start and end dates for advertisements, set them to cut off after a certain number of impressions (or clicks, in the case of image advertisements), and you can filter by status (and toggle the status from this page). If IP.Nexus is installed, an additional status of "pending" is present and supported for advertisements that have been purchased but not yet approved. Naturally once you reach any cut offs specified or the end date has passed, the advertisement will no longer be rotated. As you can see in the screenshot, javascript is removed from the preview for security reasons. If you have a caching engine enabled, advertisement data will be cached to improve performance. Some new functionality If you are already familiar with the feature set of the current release of IP.Nexus, the advertisement functionality you already know and love will be carried over to the 4.0 Suite. You can still specify which groups are exempt from seeing advertisements, for example, to help you upsell subscription packages to users on your site. In addition to the current functionality, however, we've made some great improvements. Ability to specify SSL advertisement code Google Ads does not have an SSL version of its advertisement code, and including their advertisements on secure pages can lead to browser warnings for your visitors. This is especially troublesome when you only use SSL for logins or for your store (IP.Nexus), as it gives an impression that the page is not secure. Now, you can specify an alternative secure page advertisement code if you wish, or choose not to show a specific advertisement on secure pages at all. Ability to specify multiple images When uploading an image advertisement, you now have the option to also upload a small and/or medium version of the advertisement image. The small and medium versions, if present, will be used on the responsive layout on the alternate views for mobile devices and tablets. If not provided, the software will simply use the next best size available. We have NOT included the ability to specify alternate HTML for the different resolutions. In our research, most advertisement partners either (1) already handle responsiveness with their own javascript code or (2) provide alternative instructions for responsive ads. If you use a CDN such as Amazon S3 for your file storage in the 4.0 Suite, your advertisement images will be served from the CDN. Extendable application support As of 4.0, any and all applications that wish to support advertisements can do so via the extension system built into the software. All an application will need to do is provide an extension for the advertisement system, and then call the advertisement location in the template where they feel the advertisement should display. You can even add custom settings (so for example, the forum application can allow you to configure which forums an advertisement will be displayed in...). Skinners can move the advertisements around however they like in their skin templates simply by moving the appropriate custom tag. Custom locations You can now define entirely custom locations for advertisements easily in the advertisement configuration page. Once you have defined a custom location for the advertisement, defining where to show that advertisement in your themes is as simple as inserting a tag where you want the advertisement to be displayed. Closing We hope these small changes will help you better manage your advertisements and provide you with the options you need to capitalize upon your community. If you have no use for advertisements, you can completely ignore this area of the software and no resources will be used by it, but if you do utilize advertisements on your community, the new tools should make it much easier to manage your site. Attached Thumbnails View the full article View the full article

Invision Power Services, Inc. is pleased to announce the release of the following applications: IP.Board 3.4.6 IP.Nexus 1.5.9 IP.Board 3.4.6 IP.Board is a fully featured community platform including forums, members profiles, calendar, status system, integration, and much, much more. The release of IP.Board 3.4.6 is a maintenance release and includes bug fixes. IP.Nexus 1.5.9 IP.Nexus is our fully featured commerce system to sell products, membership access, advertising, digital downloads, and more. Includes tools like a support desk to help manage your clients. The release of IP.Nexus 1.5.9 is a maintenance release and includes bug fixes. How to Upgrade To upgrade simply log into your client area, click on "Purchases" from the menu and select the community you wish to upgrade and click "Upgrade Now". You can read more about upgrading in our documentation. View the full article

Case 69513 Summary World writable Logaholic directories allowed arbitrary code execution in varied contexts. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Multiple directories within /usr/local/cpanel/base/3rdparty/Logaholic were set world writable by default with permissions of 777. These directories contained, among other items, the global configuration files for the Logaholic log processing system. A local attacker could overwrite the global config file to bypass account restrictions, such as jailshell, or conduct privilege escalation attacks. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 74889 Summary Security tokens were disclosed via links in WHM’s Manage SSL Hosts interface. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description cPanel & WHM includes cross-site request forgery tokens in all authenticated URLs. cPanel recommends that all users connect only through https to prevent the tokens from leaking to external sites via the browser’s referrer headers. It was discovered that some external links in the “Manage SSL Hosts” leaked the security token even when connected via https. This problem has been addressed by bouncing the browser through a URL with no token to cleanse the referrer. Credits This issue was discovered by the Total Server Solutions Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 75373 Summary Reseller Jailshell breakout via custom contact program. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Reseller accounts that were restricted to Jailshell access, and unable to create other accounts without this restriction, could bypass this restriction by creating a custom contact program in WHM’s “Configure Customer Contact” interface. When an account owned by the reseller submitted a contact request, the custom contact program would run without the restrictions of Jailshell. Credits This issue was discovered by Rack911.com. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 76085 Summary The translation system ACL was not being enforced properly. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The ability to modify translations in cPanel & WHM is restricted to reseller accounts with the “locale-edit” ACL. This ACL requirement was improperly enforced granting the virtual email accounts, owned by a reseller with this ACL, the same access as the reseller. A malicious virtual email account could misuse this vulnerability to conduct stored cross-site scripting attacks against other cPanel & WHM users by updating translations to contain malicious javascript. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 76541 Summary An arbitrary file unlink vulnerability in cPanel and Webmail. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The logic in cPanel to remove unused file uploads after processing a request incorrectly, attempted to unlink both the temporary file and the supplied file name. This allowed Webmail virtual accounts and demo cPanel accounts to unlink arbitrary files belonging to the cPanel account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 76549 Summary An arbitrary file read and unlink vulnerability in cPanel, WHM, and Webmail. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description When logged into the cPanel, WHM, or Webmail interfaces an attacker could supply crafted multipart post data that appeared to be file uploads with unusual paths. In some subsystems, these invalid file upload parameters allowed viewing or deleting the file at the target path. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 76789 Summary Sensitive information was disclosed via transfer logs. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The cPanel & WHM account transfer system stores logs in the /var/cpanel/logs directory. These logs contain the details of the account transfer process including, under some error conditions, the password used to connect to the remote server. The log files created by account transfers were created with 0644 permissions, allowing local users to view any sensitive data stored there. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 76869 Summary CVE-2013-6171 – Dovecot’s checkpassword authentication implementation vulnerable to response spoofing. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description cPanel & WHM provides the Dovecot mail server by default for support of the POP3 and IMAP protocols. cPanel’s integration of Dovecot relies on the checkpassword authentication protocol to make Dovecot aware of virtual email accounts on the system. Dovecot’s implementation of this protocol uses a sensitive file descriptor passed across the executables that make up the checkpassword protocol. This allows the checkpassword-reply binary to communicate back to the dovecot-auth server if authentication is successful. A local attacker could attach to a running instance of the checkpassword-reply binary before the account information was written back to the dovecot-auth server and supply fraudulent account information. This allowed the attacker to view email and other files belonging to to the victim account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 76941 Summary Insufficient session expiration of Cpanel::LogMeIn sessions. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The Cpanel::LogMeIn module is used to implement custom login screens for cPanel & WHM systems. It creates a single use session file on the cPanel system, suitable for redirecting a browser from another website. It was found that previous changes to cPanel & WHM’s session storage format for TSR 2013-0009 resulted in Cpanel::LogMeIn sessions not expiring after a single use. These sessions were instead expired according to normal session timeouts. Credits This issue was discovered by Vodien Internet Solutions. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 77837 Summary Logaholic local file inclusion vulnerability. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The Logaholic log processing software included with cPanel & WHM was vulnerable to a local file inclusion vulnerability through the logaholic_lang cookie. This allowed a local attacker to execute arbitrary code as the cpanel-logaholic user, potentially compromising other accounts on the system through Logaholic’s shared database. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 78177 Summary There could be a local arbitrary code execution via mailman pickle files. Security Rating cPanel has assigned a Security Level Important of to this vulnerability. Description cPanel & WHM uses a single, central installation of GNU Mailman to provide mailing list functionality to all cPanel accounts. Mailman’s cgi-bin scripts are configured to be set to the GID mailman so that they can write into the Mailman list and archive directories. This resulted in the Mailman Python pickle files to have the UID ownership changed dependent on where the files were executed. A local attacker could utilize this fact to overwrite one of Mailman’s pickle files, and execute arbitrary code when the pickle file was deserialized (BugTrack ID 5257). Under some circumstances, this would allow a local attacker to execute arbitrary code as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 78253 Summary Local arbitrary code could be executed as other accounts with mod_ruid2 enabled. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description On systems with mod_ruid2 enabled, making any changes using the WHM “Apache mod_userdir Tweak” interface resulted in a corrupted Apache configuration. A local user could manipulate the permissions on directories and files under their control, and enable Apache to run arbitrary code with the UID and GID of a victim account via userdir URLs. Access to the “Apache mod_userdir Tweak” interface is only permitted to the root user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 79133 Summary The improper sanitization of SSL certificates could allow a local DoS of the web server. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description cPanel user accounts with the “sslinstall” feature are allowed to install SSL certificates for the domains they control. The logic that sanitized these certificates did not account for whitespace variations in SSL certificates that Apache cannot parse. This vulnerability could be used by a malicious local attacker to make it impossible to restart the Apache web server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. For the PGP signed message, go here. View the full article

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels ranging from Minor to Important. Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels. If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience. RELEASES The following cPanel & WHM versions address all known vulnerabilities: * 11.40.0.12 & Greater * 11.38.2.11 & Greater * 11.36.2.8 & Greater * 11.34.2.7 & Greater The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net. SECURITY ISSUE INFORMATION The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 13 vulnerabilities in cPanel & WHM software versions 11.40, 11.38, 11.36, and 11.34. Additional information is scheduled for release on October 26, 2013. For information on cPanel & WHM Versions and the Release Process, read our documentation at: http://go.cpanel.net/versionformat For the PGP signed message, go here. View the full article

Last week I attended ZendCon 2013, a prominent PHP developer-oriented conference designed to give industry professionals information on tools, practices and trends which will help them deliver enterprise-class software to customers. During the conference, many sponsors set up booths in order to demonstrate new products and services, and many industry professionals hold tutorials and sessions that attendees can attend in order to learn more about our trade. The conference was held in Santa Clara, CA (about an hour south of San Francisco, just outside of San Jose) from October 7th through October 10th. I spent a lot of time at the conference focusing on tutorials and sessions that I felt might provide the most value for our company, in order to deliver better, faster and more stable software for our clients. One tutorial that I attended, for instance, focused entirely on best practices for implementing caching into software (and at the server level), and tuning settings in PHP, MySQL and Apache/NginX to deliver the highest possible performance. Another session I attended focused on Object-Oriented Javascript Programming and the future of Javascript (or, more specifically, ECMAScript 6). By the very nature of the conference, all sessions were very technical in nature, so don't feel too bad if any of this sounds like Greek to you. The point I want readers to take away is that we take our profession seriously, and IPS feels that an investment into continuing education is important for our clients. I had the pleasure of meeting many industry professionals in the PHP world, including Andi Gutmans (CEO and co-founder of Zend Technologies), Zeev Suraski (CTO and co-founder of Zend Technologies), Elizabeth Smith (very active contributor to the PHP project and various PHP extensions), Derick Rethans (creator of XDebug, MongoDB PHP extension, and other PHP project contributions), John Coggeshall (active lead for the PHP Tidy extension) and many other wonderful contributors to the PHP ecosystem. The passion that these people share for the products and services is just amazing, and serves as a great role model for developers everywhere. I won't spend much time getting into the nitty gritty details of each session I attended. Some were very technical in nature, while some focused on more abstract necessities of running a team of developers and managing day-to-day development duties (for example, discussing things like time management, gathering project requirements effectively, and so on). All in all, every session I attended provided useful information that I feel we can make use of to better our processes and delivery of future software releases. As I said, here at IPS we take our profession very seriously. We will always strive to deliver the best possible software, and are thankful for the contributions of our third party developer community as well as the rest of our clients, whom provide us with bug reports and feedback that help to improve our products. We have many exciting things in store in the coming months, so stay tuned by subscribing to our company blog to be notified of changes and updates. View the full article View the full article

10/10/2013 Houston, TX - As previously announced in our cPanel & WHM 11.40 Webinar and at cPanel Conference 2013, cPanel, Inc. is thrilled to release cPanel & WHM software version 11.40, which is now available in the CURRENT tier. cPanel & WHM version 11.40 offers support for IPv6 and 1:1 NAT, an API Shell, and more. IPv6 Support cPanel & WHM is now IPv6-enabled with dual-stack support, allowing customers to add IPv6 or IPv4 to any account. This feature prepares our customers for future demand. 1:1 NAT Support cPanel & WHM version 11.40 provides 1:1 NAT, giving customers the ability to support a broader range of hosting environments. API Shell In 11.40, cPanel & WHM includes an API Shell, enabling customers to run and troubleshoot API calls interactively through the cPanel & WHM user interfaces. This feature helps our customers better understand API calls. Detailed information on all cPanel & WHM version 11.40 features can be found at http://docs.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists. View the full article

test

Introduction The IPS Social Suite needs to store lots of different files - there's attachments and profile photos uploaded by members, CSS and JavaScript files, emoticons, etc. In IP.Board 3.x, various images got stored in different places: Files uploaded by users get put in the /uploads directory. If you have a complicated setup, it's difficult to handle these. If you have a load-balanced cluster you need to set up an environment whereby all files are stored on a single server, or all uploaded files are synched between servers, but serving these files over a high-performance CDN can be difficult. CSS, JavaScript files, images and emoticons get put in /style_* directories. If you want to serve these over a CDN, you can do so, but you need to copy the files over yourself. Other pieces of data are written to disk as a caching mechanism. This has the same issue with load-balanced environments as file uploads. Some applications had other methods - for example, IP.Downloads allows you to store files on a remote server using FTP. In 4.0, we wanted to pull this all together and build a much better system for storing files and build the whole system with high-performance environments in mind. File Storage In 4.0, you have several different ways to store files: On a local server On a remote server using FTP (which you can use to upload files to many CDN services) As binary data in the database On Amazon S3 You can set up different configurations and choose which configuration to use for different types of files. For example, if you want to store user's profile photos on Amazon S3, but you want attachments to be on the local server, or even a different Amazon S3 bucket - 4.0 can handle that. And if at any point you change your mind about which storage method you want to use, the system will automatically handle moving all the files for you. Everywhere that writes a file will use this central system - so IP.Downloads and IP.Gallery are included too. Caching There are lots of places throughout the suite where the same stuff needs to be retrieved or calculated over and over - for example, certain configuration settings, language data, information about the installed applications, etc. If this data can be cached, not only does it alleviate database load, it means the PHP code doesn't need to re-process the data. In IP.Board 3.x, some of this was stored in a particular database table and could be cached using a proper caching system - but it was difficult to configure, and not everything used it - compiled HTML templates, language strings and more were saved as files in the /cache directory, which causes difficulties for load-balanced cluster environments. In 4.0, we've overhauled all of this. For things that need cold storage (like compiled HTML templates) - you can choose either the file system or the database for storage. The data can then cached, along with anything else which might benefit from caching (like settings, application data, etc.) using one of 5 supported caching methods: APC eAccelerator Memcached Wincache XCache Attached Thumbnails View the full article View the full article

IPS Social Suite 4 is a modernization of our software line and rather than just refactor existing work, we are rewriting the code from scratch which gives us a chance to really evaluate the interface elements and labels. We felt that "themes" was a much more modern and better understood term than "skins". Of course, the name is just the start, here are some of the other improvements: Managing Themes in IPS Social Suite 4 As you would expect, the interface has been completely overhauled in IP.Social Suite 4. All the familiar elements are there but we've simplified areas and made it easier to manage your themes. As you can see from this screen shot, theme authors can now inform customers when they have an update available for them. The interface makes use of the new IPS Social Suite 4 Trees model which means you can quickly search for theme names and re-order themes. In IP.Board 3, you could change the logo of the suite. We've made this even easier in IP.Social Suite 4. The upload fields are easily accessible on the edit theme form. You can even upload a Facebook sharer image and favicon! Downloading and Uploading Themes In IPS Social Suite 4, downloading and uploading a new version of a theme could not be easier. Just select the menu item and it's done. You no longer need to navigate to separate areas of the Admin CP to do this. Conflict Management What happens if you upload a new version of a theme but it contains changes to templates you have also changed? You'll get a chance to review these changes and select which version to use on the conflict management page. Editing templates and CSS The template and CSS editor should be familiar for any existing customers. The editor is now fully syntax highlighted which will make writing and editing code so much easier. The template syntax is now much more compact as you can see from the above screen shot. We've also added a few things to reduce the amount of template logic required. A common need is to load a template if a condition is matched: {{if member.isAdmin()}}{template="admin_bar"}{{endif}}You can now put the conditional inside the template tag like so:{template="admin_bar" if="member.isAdmin()"}This is much easier to read and reduces a lot of visual clutter. The combination of the better template syntax and HTML 5 mark-up results in a dramatic reduction in size and complexity of often edited templates such as the globalTemplate which is commonly used to add your own site chrome.The screenshot below shows all of the IPS Social Suite 4 globalTemplate and for comparison, part of the IP.Board 3.4 globalTemplate which is over 340 lines long! The CSS framework much like the javascript framework has been completely rewritten and is now modular. This means that most CSS files are very small which makes looking for specific selectors much easier. In addition, upgrades are less destructive to your themes. If you made edits to the button styles, then only that one style sheet is altered leaving the rest as default. Of course, IPS Social Suite combines and minifies these separate CSS into fewer files when saved. This blog entry is just an overview of the theme section in the Admin CP. We'll go into more detail in a later entry on the new tools available designed to make theme creation and management a breeze for theme authors. We know you will have a ton of questions but please be patient with us if we keep saying "wait for next blog entry" :smile: Attached Thumbnails View the full article View the full article

SUMMARY Three CVEs were reported for WordPress 3.6 and WordPress has released an upgraded version to address theses vulnerabilities. cPanel has updated the WordPress version delivered via the cPAddons functionality in WHM to the new version of 3.6.1. AFFECTED VERSIONS All versions of WordPress 3.6.0 and below. SECURITY RATING US-CERT/NIST has given the following severities for the WordPress vulnerabilities: CVE-2013-4338 CVSS v2 Base Score: 7.5 (HIGH) CVE-2013-4339 CVSS v2 Base Score: 7.5 (HIGH) CVE-2013-4339 CVSS v2 Base Score: 3.5 (LOW) SOLUTION cPanel, Inc. has updated the version of WordPress in the cPAddons system to 3.6.1. The cPanel Security Team highly recommends that all installations of WordPress be update on your servers. The WHM Admins can upgrade the installations of WordPress on their servers using the Manage cPAddons Site Software functionality in WHM. cPanel account users may also update from the WordPress link in the Site Software section of their cPanel account interface. REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340 http://wordpress.org/news/2013/09/wordpress-3-6-1/ For the PGP signed message go here View the full article

We are releasing security patches for IP.Board 3.3.4, IP.Board 3.4.5, IP.Gallery 4.2.1 and IP.Gallery 5.0.5 to address four cross-site scripting issues recently reported to us. It has come to our attention that an unpatched security issue exists in a third party script included with the IP.Board release called "Flowplayer". While this script is included with IP.Board, it is presently only utilized by IP.Gallery to facilitate embedding of certain media files when the administrator allows them to be uploaded. The exploit that has been reported to us may expose a specific type of cross-site scripting vulnerability through Flowplayer and requires a certain level of user-interaction to trigger (in other words, a user must follow a link to the affected target - to our knowledge this issue cannot be triggered automatically by viewing a page normally accessible through typical navigation of the software). It has come to our attention that an unpatched security issue exists in a third party script included with the IP.Board release called "swfupload". The cross site scripting vulnerability, like the one described above, requires a user to visit a specially crafted link to the swfupload flash file directly, where-by arbitrary javascript may be executed. It has come to our attention that two potential cross site scripting vulnerabilities exist within the IP.Board editor routines. These vulnerabilities are not persistent (meaning you can only trigger them against yourself, as opposed to causing them to be stored in the database and triggered against another user), however we feel that it is in the best interests of our clients to release an update to address the issues reported. We are releasing patches today to address all four issues. To apply the patch, please perform the following steps: Identify which version of IP.Board you are running. If you are running IP.Board 3.3.x, you will also need to identify which version of IP.Gallery you are running. Download the appropriate patch file below Extract the contents locally on your computer Upload the contents of the "upload" folder to your forum root directory (where conf_global.php is located), overwriting any files when prompted. Please refer to this knowledgebase article if you are unfamiliar with using FTP to transfer files to your server. IF YOU ARE RUNNING BOARD 3.4.0 - 3.4.4, you will need to upgrade to 3.4.5, which as of today includes these patches. If you are an IPS Community in the Cloud customer running IP.Board 3.3 or above, no further action is necessary; we have already automatically patched your account. If you are using a version older than IP.Board 3.3, you should contact support to upgrade. If you are running IP.Board 3.4.x, please use the following zip: ipb3_4_and_gallery_5_0-9-13-2013.zip 79.87KB 1507 downloads If you are running IP.Board 3.3.x without IP.Gallery, or with IP.Gallery 5.0.x, please use the following zip: ipb3_3_and_gallery_5_0-9-13-2013.zip 85.32KB 181 downloads If you are running IP.Board 3.3.x with IP.Gallery 4.2.x, please use the following zip: ipb3_3_and_gallery_4_2-9-13-2013.zip 84.91KB 87 downloads As of the time of this post, the full IP.Board and IP.Gallery packages in our client center have been updated. If you are running any version of IP.Board or IP.Gallery that is not listed above, we recommend that you upgrade to the latest version to obtain these security fixes, as well as several other security and bug fixes. We would like to thank Sahil Saif for bringing the flowplayer vulnerability to our attention. We would like to thank Masato Kinugawa for bringing the swfupload vulnerability to our attention. We would like to thank Jakub at http://hauntit.blogspot.com/ for bringing the editor vulnerabilities to our attention. View the full article

In 3.x, we support HTML emails being sent by the software. However, due to constraints we had at the time, HTML emails use pretty much the same content as plain text emails, but wrapped in a simple HTML wrapper. Additionally, users had to explicitly decide whether they wanted to receive HTML or plain text emails via a preference setting - quite an anachronism. All in all, not a very satisfactory user experience. Email handling in 4.0 In 4.0, users no longer choose which type of email to receive. Our email handler sends both types in a single email, and the email client chooses the most appropriate to show based on its capabilities. If it can display a fancy HTML version, that's what they'll see by default, but plain text is used if not. Email template system In 3.x, email content is defined by the language system, and each email has one language string which forms the content for both the plain text and HTML versions. Clearly, if we were going to improve the HTML templates we ship with, this would have to change. In 4.x, each type of email has two templates - one for HTML, one for plain text. This means a better display of content can be created for HTML emails, while keeping the plain text ones simple and to the point. Email templates make use of the skinning system foundation (which we'll reveal later), meaning they have full use of logic, template tags and more - so we can also customize the emails depending on the user they are being sent to (note though that email templates are not per-skin; they are global to the site). And, of course, email templates can be added and edited via an interface in the AdminCP. This isn't groundbreaking stuff, but a vast improvement on email handling in 3.x. Email template design We also wanted to improve our email templates, so that each type of email sent was designed specifically for the purpose. The data shown in a registration email will be different to a topic digest, for example, and the email should reflect that. Coding email templates is not a trivial thing, unfortunately. The latest version of Microsoft Outlook uses the Microsoft Word rendering engine(!!), while GMail strips out all CSS included in style tags - and that's just the start of the gotchas. This makes designing email templates a tricky business, and one that requires lots of testing to ensure compatibility. For our first 10 templates alone, I reviewed 900 screenshots to spot problems. As a result, we've taken the approach of creating email templates which are simple in appearance and would work well for most sites, with the goal of hopefully avoiding the need of most sites to edit them at all (though you can, if you wish). The colors we've used are fairly neutral, for this reason. For those mail agents that are a little more... advanced, our email templates in 4.0 will be responsive. They will look great on mobile devices as well as desktop clients. I have included some examples of email templates, along with their mobile counterparts. I should note at this point that this does not reveal the main skin design. As discussed above, emails are intentionally separate in design. Admin-completed registration Friend request New personal message New profile comment Attached Thumbnails View the full article View the full article

Diagnostics For the development team here at IPS, we're constantly striving to make the most stable and reliable software we can. We currently have three main channels through which we hear about potential issues: Our QA team and other power users submit bug reports to our bug tracker. Community owners contact our technical support team who then, where necessary, communicate issues to us. Our Community In The Cloud team monitor server error logs (etc) and where necessary, communicate issues to us. For IPS Social Suite 4.0, I really wanted to examine how potential software issues (as well as general questions and support enquiries, which I'll talk about in another blog entry) come through to us, and if any improvements can be made. The problem with all of these channels is that they're not direct (we don't get the information directly to us) which means we sometimes don't have all the information we need, and if the issue is never reported, we might not hear about it at all. Desktop applications and Operating Systems handle this in a very particular way - they send a diagnostic report straight to the vendor when something goes wrong. This means the vendor gets all the information they need about the problem in a way that requires no input from the user - it's automatic, anonymous and instant. In IPS 4.0, we're introducing the same system. When a problem happens, a report is automatically sent to our servers to let us know. Participation is optional and the report sent is entirely anonymous. What causes a diagnostic report to send? Error handling in IPS 4.0 on the programming level is handled through Exceptions. If a class does something unexpected (for example, if the class which communicates with the database gets an error from the database server, or the class which makes HTTP requests gets an unexpected response), the class will throw an Exception (specifically, a RuntimeException). If an Exceptions is not caught (accounted for in the code), a report will be sent. Also, if a PHP error of a level greater than a notice (a warning) is encountered, it will also throw an Exception (specifically, an ErrorException) which will also cause a report to be sent. What information does a diagnostic report contain? The diagnostic report contains: The trace route of the exception, with personal information (the path to your site, which is usually in the trace of all exceptions, and your database name which is often in the message for MySQL errors) removed. The version number of the IPS Social Suite you are running. The version number of the application which caused the error. The diagnostic report does not contain: Your license key. Your site URL. Any information about the user that triggered the error or any other users. Any information which would allow us to work out which site sent the report. Here's an example of the contents of a diagnostic report, which would be sent if the code tried to get information from a database table that doesn't exist: How do I opt-out? You'll be asked when you install IPS Social Suite, or upgrade to version 4.0 if you want to opt-out. You can change this choice at any time in the Admin CP by simply adjusting a setting, which is in a prominent location. Usage While we were working on diagnostics reporting, we had another thought. The other thing that we as developers really want to know besides if there are any problems in the software is how the software is being used. What features are the most popular? How many forums does the average site have? Do most people use the articles system in IP.Content to manage content or do they create pages manually? How many people have upgraded to our new version so far? While a lot of site owners post in our feedback forum (and we love having that communication) - having the raw statistics for these sorts of questions would be really helpful in knowing what we should focus on (plus, everyone loves charts and graphs). So in a similar vein, IPS 4.0 will also (assuming you've enabled it) periodically (once a month) send a report to us with this sort of information. Participation is optional and the report sent is entirely anonymous. What information does a usage report contain? The usage report contains: The number of rows in each database table. MD5-encoded values of settings - see below. The PHP and MySQL versions installed on the server. A list of the PHP extensions installed on the server. A list of installed applications (e.g. IP.Board, IP.Blog, IP.Gallery, etc.) and their versions. A number indicating the number of active applications in your license (for example, if you have purchased IP.Board and IP.Blog, and both are active, the number “2” will be sent). The usage report does not contain: Your license key. Your site URL. Any information about about users or any user-submitted content. Any information which would allow us to work out which site sent the report. For the settings values - the values are encoded we cannot see the value (so we can’t see your site name, URL, etc.) - this is a blanket protection so that we do not send anything sensitive and the information cannot be used to work out which site sent the report. The encoded values though are still useful - for text-entry settings, we can see if the value has been changed from the default value (since we know the md5 hash for the default value) which is useful to know how many people change the default configuration. For settings which have a limited number of options, for example, can only be turned on or off, or have a drop down list of options, the hash value has meaning as we know the hash values for each option. Even though values are encoded, particularly sensitive settings such as database connection details are stripped completely. Here's an example of the contents of a usage report: How do I opt-out? You'll be asked when you install IPS Social Suite, or upgrade to version 4.0 if you want to opt-out. You can change this choice at any time in the Admin CP by simply adjusting a setting, which is in a prominent location. Attached Files diagnostics.txt (676bytes) downloads: 7 usage.txt (12.4KB) downloads: 6 View the full article View the full article

We've been hard at work on IPS 4.0 for some time now, and we're finally at a stage where we are ready to reveal the new AdminCP to you. I won't be showing you everything the ACP has to offer - some things will be revealed in more detail in later blog entries. But lets get to an overview. Background information IPS4 brings with it a new CSS framework that aims to modularize our styles. This is something we started to work towards in IPB 3.2, but at that time we couldn't completely replace our structure. We no longer have a monolithic ipb_styles.css file. We now have a bunch of small CSS files, and each one handles something in particular. There's one each for forms, tables, pagination, buttons, layout and so on. This brings a few key benefits. Firstly, when we need to make a bug fix in, say, the forms CSS file, IPS4 will still be able to automatically upgrade all the other css files for you. In 3.x, one bug fix in ipb_styles.css could mean the whole file had to be manually upgraded. Secondly, it will be a lot more obvious for skinners where to look for particular things. Need to style a button? Look like buttons.css. Easy. And thirdly, if you're building pages in IP.Content, and you want to use our button styles, you can simply include that one CSS file without needing to include the entire CSS framework. CSS is of course concatenated and compressed before being delivered to the browser, but in a development environment, it exists as I described it above. In IPS4, both front end and AdminCP share the same CSS (and Javascript) framework. Skinners will be able to ship skins that work on both the front end and AdminCP with only a little extra work - and, of course, when we make bug fixes to the framework, it'll fix both areas. Before we go further, I want to make this part clear: The front-end and AdminCP look different. What you'll see shortly isn't what the front-end looks like. We will reveal that separately later. While the same framework is used, the AdminCP extends and overrides parts of it to suit its needs and style. Goals What did we want to achieve with the AdminCP? Our current AdminCP is often regarded as the best out of the big forum software platforms, so redesigning is a big undertaking. Better user of space. Our current ACP uses vertical space for the main menu, and horizontal space for the application menu. In an era of widescreen desktops being standard, this could be improved. Get rid of dropdown menus. The main menu currently uses dropdowns for navigation, but this can be difficult to use - especially if you want access something in a 3rd party app, meaning you have to traverse the Other Apps menu. More consistency across pages. Our current ACP has some interactive tables (e.g. the member list) - but not every table makes use of the functionality. We should be enhancing every page with similar functionality, if it makes sense. Better styling. People aren't a fan of pink, it turns out. I guess it'll have to go. The blue gradients are showing their age too. And the big one: Better mobile support. You can't effectively use the AdminCP on a mobile device. It's time you were able to manage your entire community from your phone with all of the same functionality, right? Responsive by default That last one is what we're most excited about. The AdminCP in IPS4 is fully responsive, and allows you to do everything just on a phone or tablet. What is responsiveness? It means that the page automatically changes to better suit the device you're using. While a desktop user would see full navigation menus and tables of data, a mobile user will see a reduced view (but with all the same data present!). Whether you need to manage your members, change some settings, send a bulk email or run some diagnostics, it can all be done on the go. This is a first for the big community software platforms, as far as I'm aware. Preview Here is a sample page from the new AdminCP, as seen on a desktop, with the same page shown at a mobile resolution: Although I won't include it here, tablets will see an 'intermediate' view with a reduced menu on the left. So, let's go over some of the key features of the screenshots. Navigation First, and perhaps most importantly, is the navigation. On a desktop, your applications are now arranged down the left-hand side, with their respective section menus available simply by hovering on the application - no dropdown menus to traverse. The application menu can be reordered per-admin, allowing each staff member to set the menu up to best suit their role. On a mobile, there's obviously not the space for a wide navigation menu. Therefore, the application/module menu is activated by clicking the top-right icon. This opens a sidebar, from which you can navigate: Tables What you see in the screenshots are our new default way of displaying tables of data. On the desktop view, we have filters across the top, a search box (and advanced search popup), and table headers can be clicked to dynamically sort the data via ajax. On a mobile view, this all collapses down - filters and sorting become menus, while table rows collapse to show data in a more suitable view. Responsive tables are a tricky thing to do right and there's a few different approaches, but given the types of data our AdminCP tables typically show, we think this is the best approach for us. Forms As has been discussed in some of our developer blogs, the IPS 4.0 framework supports a wide range of form field types - everything from text inputs to tree selectors to matrices. All of these field types work both on desktop and with a responsive mobile view. Here's a simple AdminCP form on both desktop and mobile: Tabs Tabs are used extensively, where appropriate. Here's a screenshot showing a typical tabbed page (and it also shows a tree view): Video of the mobile view in action I've taken a short video of the member section in action, showing filtering, live searching and the advanced search popup. I'm using the iOS simulator here, which has some display jitters and requires me to use the mouse, but it should give you a good idea of how the AdminCP will work on a phone. Conclusion So there we go - an overview of the new AdminCP. We still have more to show you. Individual features and pages that are noteworthy will be blogged about in due course in more detail, so keep an eye on this blog and our developer blog for more. Please do bear in mind that this is pre-alpha software, and everything you see is subject to change. We look forward to your feedback! Attached Thumbnails View the full article View the full article

Introduction Modifications, add-ons, plugins, hooks - whatever your preferred name for them is - 3rd party code modifications are an important part of any successful web application. It wasn't that long ago that the way you did this was manually opening up files and copying and pasting bits of code in, or the really cool web applications had points scattered throughout the code for modifications to be injected into, or even scripts which opened up the files and made the changes for you (I'm not joking, that's seriously what used to go on!). In fact, IP.Board was one of the first web applications to, using OOP, support modifications in a more structured way. Currently, we largely have 2 types of modifications: applications, which add whole new areas and functionality to your site (all of our applications: IP.Blog, IP.Gallery, IP.Downloads, IP.Chat, IP.Content and IP.Nexus use this architecture) and hooks which modify or extend the functionality of the IPS Social Suite or of applications. Applications themselves are sort of self-governing so there isn't much to say about them, with one exception: applications will now be able to be downloaded and subsequently installed into your Admin CP as one file - you will not have to FTP upload application source files. The file will just be a regular .tar file, so course, if you were so inclined, you could open it and go old skool. For the rest of this blog entry, I'm going to focus on hooks. Though parts of this blog entry will be more technical in nature than our others, I've tried to keep it just to what everyone will be interested in, and leave the boring stuff until the end. Terminology The term "hook" in 3.x is ambiguous. Sometimes it refers to the whole thing (e.g. "install a hook") and sometimes it refers to a specific technical part of that - the code which overloads other code (e.g. "skin hook", "library hook"), which are, even more confusingly, sometimes called "hook files". In 4.0, we've decided to rename hooks to plugins. The technical parts which make up a plugin will still be referred to as hooks. Sandboxing Plugins, by their nature, extend functionality already present on your site. Up until now, if a plugin experiences a problem (for example, if a new version is installed which the plugin doesn't support) it can cause an error on your site, which disabling the plugin fixes. Starting in 4.0, plugins will be sandboxed. This means that if a plugin experiences an unexpected error (such as a database driver error), your site will automatically fallback to the default behaviour, and your users will never know anything went wrong. Simple (yet advanced) settings In IP.Board 3.x, the Admin CP maintained a massive central area for managing most (though not all) settings. Plugins could add settings to this area, though there was no real standard to where to do that. Also, because this area was separate from the area where you install plugins, it could sometimes be confusing how to configure a plugin after installing it. In 4.0, each plugin is allocated a settings page which is accessed just by hitting the "Edit" button on the list of plugins. Plugin authors can manage this page how they like - rather than being confined to the strictly tabular layout and specific input types in 3.x. Versioning In 3.x, unlike with applications, there was no particularly clear way to upgrade a plugin from one version to another. In 4.x, plugins now support full versioning, so you can just upload a new version, and an upgrader will take care of it. Hook Types In 3.x, there were several different underlying types of hooks: Action overloaders - which allowed overloading the PHP class for any controller. Library hooks - which allowed overloading the PHP class for some (though not all) other classes. Data hooks - which allowed the modification of variables at specific, defined places in the code. Skin overloaders - which allowed overloading the compiled PHP class representing a group of templates. Template hooks - which allowed content to be inserted at specific points in templates. For 4.0, we've made some quite radical changes: Code Hooks The first 3 have been merged into one concept we call "Code Hooks". Code Hooks can overload any class (even things which presently can't be overloaded like extensions) through a technique called monkey-patching (more details have been mentioned in the developer channel). This, combined with the use of Active Record models for all content items (so "Topic", etc. is a class that can be overloaded) also makes data hooks obsolete. Theme Hooks The last 2 have also been merged into a concept called "Theme Hooks" (we're also renaming "skin" to "theme"). The way the current template hooks work is to insert content around certain pre-defined tags in the template. The problem is, not always is the point the plugin author needs available, also this is done in a way the content being inserted isn't aware of it's surroundings, which makes it difficult for things like adding a button to every post, which would need to know information about that post. After thinking for ages about a better way to facilitate theme hooks (I was halfway through a system which injected hook points automatically at compile time), our designer Rikki reminded us that a pretty well-known method for selecting HTML elements already exists... CSS selectors. Video demonstration What's really cool about this is that the content used acts as if it was part of the template - if for example, it's inserted in a foreach loop, the variables created by that are available. It can also use template logic and everything else templates themselves can do. On the back-end, these are compiled into a file which behaves like a 3.x skin overloader - so if it is necessary (or just desired) to overload the compiled version of the template, that is still possible. Theme hooks work for the Admin CP as well as the front-end. Developer information Developers no doubt would like to know the technical information of how this all works. Rather than write a blog entry covering all the different parts of plugins, we thought you might be interested to just see the developer documentation. We have 2 articles we can show you - one covering all the technical details of plugins, and another which provides a step-by-step guide for how to create a plugin. View the full article View the full article

TSR-2013-0009 Detailed Disclosure The following disclosure covers Targeted Security Release TSR-2013-0009, that was published on August 27th, 2013. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels Case 73377 Summary An account’s cpmove archives were world-readable in the /home directory with 644 permissions during packaging. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The cPanel and WHM account transfer process created a temporary cpmove archive in the /home directory with 644 permissions. This allowed a local attacker to read the private contents of another user’s home directory and configuration settings while the transfer operation was in progress. The world-readable cpmove file was left accessible for a longer period of time when the account transfer process failed and required manual intervention. Credits This issue was reported by Rack911.com. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 73581 Summary The improper sanitization of user input when adding an Addon Domain could allow a local DoS of the web server. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description While creating a new Addon domain, a cPanel user account could specify a DocumentRoot for the new addon that would be misinterpreted by Apache as a nonsensical httpd.conf directive. This vulnerability could be used by a malicious local attacker to corrupt the global httpd.conf file and make it impossible to restart the Apache web server. Credits This issue was reported by Rack911.com. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 73605 Summary The account rearrange feature of WHM could be used in an unsafe way, potentially leading to a compromise of a system’s security. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description WHM resellers with the “Rearrange Accounts” ACL could change the permissions on arbitrary file paths by moving accounts they controlled into sensitive filesystem locations and invoke other automated systems, which assumed these locations were not under any user account’s control. The “Rearrange Accounts” ACL is a part of the a “Super Privs” ACL group, which restricts access to WHM operations that may be used to bypass many normal Reseller access restrictions. Credits This issue was reported by Rack911.com Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 73773 Summary cPanel, WHM and Webmail session files contained plaintext passwords. Security Rating cPanel has not assigned a Security Level to this issue as we feel this is only a hardening measure. Description The session files in /var/cpanel/sessions contained plain text passwords for recently logged in users. The session files were correctly secured so that only the root account on the system could read their contents. We have added additional obfuscation of the plaintext passwords, so that any attacker who compromises the root account on the system will not have the ability to reconstruct the plaintext passwords from the session files. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 74521 Summary Resellers with the locale-edit ACL could overwrite any file on the system. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Resellers that were able to install locale data from uploaded XML files could overwrite any file on the disk with data provided in the XML file. This could be used to gain privilege escalation to root. Credits This issue was reported by Rack911.com. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 75569 Summary The unsuspend function makes changes to webDAV user files that could unsuspend a suspended user on the system. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The process of unsuspending a suspended account did not perform proper checks on the ownership and location of the virtual account password files. This flaw allowed a malicious reseller account with the “(Un)Suspend” ACL to unsuspend arbitrary accounts on the system. Credits This issue was reported by Rack911.com. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Cases 68205, 71701, 71705, 71709, 71721, 71725, 71733, 75169, 75413, 75417, and 75605 Summary Multiple vulnerabilities in the cPAddons Site Software subsystem. Security Rating cPanel has assigned a range of Security Levels to these vulnerablities from Minor to Important. Description The cPAddons Site Software subsystem provides a suite of web application software that individual cPanel user accounts may install into their domains. The subsystem also provides interfaces in WHM where the root user may configure the list of web applications that are available for installation, configure which web applications require root’s approval for installation, and perform the installation of moderated cPAddons. This subsystem was vulnerable to a variety of attacks by malicious local cPanel accounts and malicious WHM reseller accounts. The vulnerabilities included flaws in the ACL enforcement logic of the WHM interfaces that allowed non-root resellers to use the WHM interfaces and stored XSS attacks that a cPanel account could conduct against the root user. The moderated cPAddons install logic included further vulnerabilities that would allow a malicious cPanel user to execute arbitrary code as any other account on the system. Credits These issues were discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 71265 Summary The autoresond.pl script was vulnerable to shell injection. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The cPanel autorespond script is used by cPanel and Webmail accounts to send vacation notices when the user is unavailable to answer their email. An input sanitization flaw in this script allowed a malicious local cPanel account to bypass other account restrictions, such as jailshell, while executing arbitrary code. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater This issue was not introduced into the autoresponder.pl code until 11.38, 11.36 and prior are not vulnerable. Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Cases 74609 and 75113 Summary The NVData module lacked proper sanitization, which allowed overwrites of files and path traversal. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The WHM interface uses an NVData subsystem to persistently store some settings of the web interface. This subsystem did insufficient validation of its inputs, allowing a malicious local reseller to corrupt NVData files belonging to other users and read files outside of the NVData subsytem. These flaws potentially allowed the reseller to change ownership and permissions settings on arbitrary files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Our GPG key is available at: http://go.cpanel.net/gnupgkeys (ABD94DDF) The cPanel Security Team can be contacted at: security@cpanel.net TSR-2013-0009-DetailedDisclosure View the full article

TSR-2013-0009 Announcement cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels ranging from Minor to Important. Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels. If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience. RELEASES The following cPanel & WHM versions address all known vulnerabilities: * 11.39.0.15 & Greater * 11.38.2.6 & Greater * 11.36.2.3 & Greater * 11.34.2.4 & Greater * 11.32.7.3 & Greater The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net. SECURITY ISSUE INFORMATION The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 20 vulnerabilities in cPanel & WHM software versions 11.39, 11.38, 11.36, 11.34, and 11.32. Additional information is scheduled for release on August 29th, 2013. For information on cPanel & WHM Versions and the Release Process, read our documentation at: http://go.cpanel.net/versionformat For the PGP signed message, please go here. View the full article