Administrator
-
Posts
103,842 -
Joined
-
Last visited
-
Days Won
5
Content Type
Profiles
Articles
Services
Forums
Events
Downloads
Blogs
Store
Gallery
Posts posted by Administrator
-
-
IPS Community Suite 4.0, the most significant update to IP.Board and the rest of our apps we've ever made, is fast approaching a state where we'll be ready for a public preview and, soon after that, public beta testing!
We know most of you are just as excited as we are about this and can't wait to try it out.
With 4.0, we've made some significant leaps in terms of modernization, and it's possible that you might need to do some preparation before you're ready to install it. Notably, our minimum PHP and MySQL versions have gone up. It's the first time we've needed you to do this in 6 years, and the versions we need you to have have been around for a long time, we're not requiring the latest versions.
In addition, 4.0 is UTF-8 only (if you don't know what that is, it's a way text can be stored in your database which you may or may not be using at the moment) and while the 4.0 upgrade process will convert your database for you if you're not already using it, this is a moderately time-consuming process, so if you convert your database now, it's one less thing to worry about on upgrade day.
To make this process as easy as possible, we have created a little script which you can upload to your server to test if you're ready.
-
-
I want to briefly show our new cover photo support. Cover photos allow users to upload an image to represent something in the community; we currently support them in profiles and calendar events and may roll out support to other areas later.
Here's a video of it in action for a calendar event.
It's really simple to use, and of course still works responsively like the rest of our default theme. We hope it adds a new element of customization for content in your community.
Developers
For developers, supporting cover photos in your own addons is as easy as you'd expect. A helper is available which handles the nitty-gritty for you; you simply add $item->coverPhoto() to your template, override a couple of methods in your controller, and optionally build your own menu to control the user interaction (or you can let the helper output them for you, as in the video above). That's it!
As always, screenshots are from pre-release software and are subject to change before release.
Attached Thumbnails
-
-
<p><em>6/3/2014</em><br /><em> Houston, TX -</em></p>
<p>cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which is now available in the CURRENT tier.</p>
<p>cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more.</p>
<p><strong>Transfer & Restore Renovation</strong><br />From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits.</p>
<p><strong>Configuration Clusters</strong><br />cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency.</p>
<p><strong>Paper Lantern</strong><br />With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes.</p>
<p><strong>Support Access</strong><br />Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks.</p>
<p>Detailed information on all cPanel & WHM 11.44 features can be found at <a title="https://documentation.cpanel.net" href="https://documentation.cpanel.net" target="_blank">https://documentation.cpanel.net</a>. An overview of the latest features and benefits is also available at <a title="http://releases.cpanel.net" href="http://releases.cpanel.net" target="_blank">http://releases.cpanel.net</a>.</p>
<p>To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: <a title="http://cpanel.net/mailing-lists" href="http://cpanel.net/mailing-lists" target="_blank">http://cpanel.net/mailing-lists</a>.</p>
-
SUMMARY
cPanel, Inc. has released EasyApache 3.24.19 with PHP versions 5.5.13 and 5.4.29. This release addresses the PHP vulnerabilities CVE-2014-0237 and CVE-2014-0238 with fixes to bugs in the fileinfo extension. We encourage all PHP users to upgrade to PHP version 5.5.13 or PHP version 5.4.29.AFFECTED VERSIONS
All versions of PHP version 5.5 before 5.5.13.
All versions of PHP version 5.4 before 5.4.29.SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:CVE-2014-0237 – MEDIUM
PHP 5.5.13
Fixed bug in the fileinfo extension related to CVE-2014-0237.PHP 5.4.29
Fixed bug in the fileinfo extension related to CVE-2014-0237.CVE-2014-0238 – MEDIUM
PHP 5.5.13
Fixed bug in the fileinfo extension related to CVE-2014-0238.PHP 5.4.29
Fixed bug in the fileinfo extension related to CVE-2014-0238.SOLUTION
cPanel, Inc. has released EasyApache 3.24.19 with the updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP.REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0237
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0238
http://www.php.net/ChangeLog-5.php#5.4.29
http://www.php.net/ChangeLog-5.php#5.5.13For the PGP-signed message, see EACVE3-24-19-Signed.
View the full article -
TSR-2014-0004 Full Disclosure
Case 78301
Summary
Correct patch for CVE-2002-1575 in cgiemail.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
cPanel & WHM includes a copy of Bruce Lewis’ cgiemail version 1.6. This version of cgiemail was vulnerable to CVE-2002-1575, allowing remote unauthenticated attackers to send email using the cgiemail script to destination addresses of the attackers’ choosing.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 92733
Summary
Session file name disclosure via SafeFile command line rewriting.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The SafeFile functionality of cPanel provides for safe file locking and opening. When attempting to obtain a lock on a file, the executable name ($0) was set to include the target file name for debugging purposes. This exposed potentially sensitive session information.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 92745
Summary
Private SSH key passwords disclosed during key generation and import.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
The cPanel & WHM API1 and API2 calls that imported, generated, and converted SSH keys using the ssh-keygen binary supplied the password for the private key using command line arguments. This revealed the private password to other accounts on the system while ssh-keygen was executing.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 93017
Summary
Arbitrary Code Execution via WHM Thirdparty Service Calls.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The WHM /scripts2/showservice and /scripts2/saveservice URLs took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, a malicious authenticated reseller could execute arbitrary code as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 93021
Summary
Arbitrary code execution via Cpanel::Thirdparty::serviceinfo API call.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
The Cpanel::Thirdparty::serviceinfo API1 call took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, an authenticated cPanel user could execute arbitrary code, potentially bypassing other restrictions placed on the account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 93269
Summary
Transfer CGI scripts allow downloads of a cPanel account.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The WHM ‘Copy an Account From Another Server With an Account Password’ functionality will first attempt to use XML-API calls to generate and download a backup of the remote account. Should this call fail, a fallback method using FTP and HTTP will be attempted. Under some circumstances, the CGI scripts utilized by this fallback method would remain installed on the account after the transfer was complete, potentially allowing remote attackers to download a copy of the transferred account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.1.16
11.40.1.14Case 94077
Summary
Denial of service via Boxtrapper cgi-sys script.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The Boxtrapper bxd.cgi script used to confirm an email for delivery did not properly validate the account parameter passed to it by the user. By injecting null values into this parameter, an unauthenticated attacker could trigger an infinite loop in the script, potentially exhausting server resources.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 95617
Summary
Arbitrary database access via cpmysqladmin ADDDBPRIVS command.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The cpmysqladmin ‘ADDDBPRIVS’ command allowed cPanel users to add read and write privileges to a database. Ownership of the specified database was not properly validated during this process, allowing the user to read and write any database on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.1.16
11.40.1.14Case 96301
Summary
Arbitrary permissions change via fixsuexeccgiscripts script.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The fixsuexeccgiscripts script run during the nightly UPCP process on cPanel & WHM systems scanned Apache’s suexec_log for indications of misconfigured CGI scripts. Scripts that generated errors were automatically set to 0755 permissions. The functionality that changed permissions on defective scripts performed insufficient validation of the targets, allowing a local attacker to set any file on the system to 0755 permissions.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 96381
Summary
Arbitrary file ownership change via chownpublichtmls script.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The chownpublichtmls script is intended to correct the ownership on users’ public_html directories. This script used an obsolete version of the safe_recchmod() function that was vulnerable to a race condition attack. This could allow a local attacker change the ownership of arbitrary files.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 96541
Summary
Arbitrary code execution as root via WHM “Check and Repair a Perl Script”.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The Check and Repair Perl Script functionality of WHM was vulnerable to a Time-of-check/Time-of-use attack. The UID this functionality would execute under was determined by a simple stat of the target file, followed by the execution of the script using “perl -c”. A local attacker could leverage this flaw to execute arbitrary code as root when this interface was used on a script under the attacker’s control.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 96697
Summary
Arbitrary permissions change via multiple scripts.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
Obsolete versions of several functions provided by the Cpanel::SafetyBits module were duplicated inside the safetybits.pl script and used in several command line scripts provided with cPanel & WHM. The obsolete versions of these functions allowed a local attacker to change the permissions on arbitrary files under some circumstances.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 97289
Summary
Bypass of local zone ownership restrictions via DNS clustering commands.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
The DNS clustering commands allow for DNS zones to be synced across a cluster. When a zone is owned by a local user, these commands restrict modification of the zone to the reseller account that owns the zone and reseller accounts with the “All” ACL. This functionality was subject to several flaws that allowed an authenticated attacker with the “Clustering” ACL to modify zones belonging to other resellers on the system.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 97293
Summary
Miscategorization of DNS Clustering ACL.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
The “Clustering” ACL in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the “Standard Privileges” grouping. This ACL should be listed under the “Super Privileges” grouping since the ACL is intended for sensitive DNS clustering configuration and synchronization operations that bypass many restrictions on DNS zone modifications.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 97737
Summary
Arbitrary YAML file read via Configure Customer Contact.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The WHM Configure Customer Contact interface allows a reseller to set contact information visible by their users. The YAML file containing this information is inside the reseller’s home directory and was read with the effective UID of root. By manipulating this file, an authenticated reseller could read the contents of arbitrary YAML files on the system.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 97841
Summary
Mailman list password disclosed to local users during password change.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
Mailman’s change_pw script takes the password as a command line argument. When changing a mailing list’s password, the new password was leaked to other users logged into the system via command line arguments.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Case 98121
Summary
Miscategorization of Locales ACL.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
The “local-edit” ACL listed in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the “Global Privileges” grouping. This ACL should be listed under the “Super Privileges” grouping since the ACL allows the reseller to control the display of translations, including embedded HTML, in all cPanel & WHM interfaces.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14Multiple Cases (35)
Summary
Multiple XSS vulnerabilities in various interfaces.
Description
Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.
Case: 90761
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/ftp/accounts.html, /frontend/paper_lantern/ftp/accounts.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Mateusz GoikCase: 93117
Security Rating: Moderate
XSS Type: Reflected
Interface: cPanel
URLs: /cgi-sys/guestbook.cgi
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 93141
Security Rating: Moderate
XSS Type: Reflected
Interface: Entropy Chat
URLs: /
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 93641
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/paper_lantern/mail/auto_responder.tt, /frontend/x3/mail/auto_responder.tt
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 93965
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/filemanager/index.html, /frontend/paper_lantern/filemanager/index.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 93985
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/addoncgi/cpaddons.html, /frontend/paper_lantern/addoncgi/cpaddons.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 94081
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts4/listaccts
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911Case: 94741
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/spam/addspamfilter.html, /frontend/paper_lantern/mail/spam/addspamfilter.html
Affected Releases: 11.43.0, 11.42.1
Reporter: cPanel Security TeamCase: 94745
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/filters/delfilter.html, /frontend/x3/mail/filters/delfilter.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 94773
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/addon/index.html, /frontend/x3/denyip/index.html, /frontend/x3/ftp/accounts.html, /frontend/x3/mail/archive.html, /frontend/x3/mail/autores.html, /frontend/x3/mail/boxtrapper.html, /frontend/x3/mail/filters/managefilters.html, /frontend/x3/mail/fwds.html, /frontend/x3/mail/lists.html, /frontend/x3/park/index.html, /frontend/x3/psql/index.html, /frontend/x3/sql/index.html, /frontend/x3/subdomain/index.html, /frontend/paper_lantern/addon/index.html, /frontend/paper_lantern/denyip/index.html, /frontend/paper_lantern/ftp/accounts.html, /frontend/paper_lantern/mail/archive.html, /frontend/paper_lantern/mail/autores.html, /frontend/paper_lantern/mail/boxtrapper.html, /frontend/paper_lantern/mail/filters/managefilters.html, /frontend/paper_lantern/mail/fwds.html, /frontend/paper_lantern/mail/lists.html, /frontend/paper_lantern/park/index.html, /frontend/paper_lantern/psql/index.html, /frontend/paper_lantern/sql/index.html, /frontend/paper_lantern/subdomain/index.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 94793
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/conf.html, /frontend/paper_lantern/mail/conf.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 94825
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/dodelpop.html, /frontend/paper_lantern/mail/dodelpop.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 94929
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mime/addredirect.html
Affected Releases: 11.43.0, 11.42.1
Reporter: cPanel Security TeamCase: 94937
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/sql/wizard4.html, /frontend/x3/sql/wizard4.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 95577
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/denyip/delconfirm.html, /frontend/paper_lantern/denyip/delconfirm.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 95805
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/ftp/dologoutftpconfirm.html, /frontend/x3/ftp/dologoutftpconfirm.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96017
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mime/delredirect.html, /frontend/x3/mime/delredirect.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96021
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/clamavconnector/scanner.html, /frontend/x3/clamavconnector/live_disinfect.html, /frontend/x3/clamavconnector/disinfect.html, /frontend/paper_lantern/clamavconnector/scanner.html, /frontend/paper_lantern/clamavconnector/live_disinfect.html, /frontend/paper_lantern/clamavconnector/disinfect.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96201
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/doresetresellers
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96209
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/domultikill
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96245
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /cgi/statmanager.cgi
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911Case: 96385
Security Rating: Important
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/ftp/session.html, /frontend/paper_lantern/ftp/session.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911Case: 96485
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts5/showacctcopylog
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911Case: 96505
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/rescart
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96509
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts/repairmysql
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96521
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/doresmailman
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96525
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts2/convertmaildir
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96545
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts2/doeditzonetemplate
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 96637
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /cgi/trustclustermaster.cgi
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911Case: 96801
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/doconfiguremailserver
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 99213
Security Rating: Minor
XSS Type: Stored
Interface: WHM
URLs: /scripts5/setupremotemysqlhost
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 99309
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts2/editzonetemplate
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 99365
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /scripts5/copy_account_input
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 99377
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /scripts5/remotemysqlhost
Affected Releases: 11.42.1, 11.40.1
Reporter: cPanel Security TeamCase: 99957
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cgi/modify.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security TeamcPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.
Credits
These issues were discovered by the respective reporters listed above.
Solution
These issues are resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-FullDisclosure.txt
View the full article -
-
<p><strong>TSR-2014-0004</strong></p>
<p>cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.</p>
<p>cPanel has rated these updates as having security impact levels ranging from Minor to Important.</p>
<p>Information on cPanel’s security ratings is available at <a href="http://go.cpanel.net/securitylevels" title="http://go.cpanel.net/securitylevels" target="_blank">http://go.cpanel.net/securitylevels</a>.</p>
<p>If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.</p>
<p><strong>RELEASES</strong></p>
<p>The following cPanel & WHM versions address all known vulnerabilities:</p>
<p>* 11.43.0.12 & Greater<br />* 11.42.1.16 & Greater<br />* 11.40.1.14 & Greater</p>
<p>The latest public releases of cPanel & WHM for all update tiers are available at <a href="http://httpupdate.cpanel.net" title="http://httpupdate.cpanel.net" target="_blank">http://httpupdate.cpanel.net</a>.</p>
<p><strong>SECURITY ISSUE INFORMATION</strong></p>
<p>The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.</p>
<p>Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 52 vulnerabilities in cPanel & WHM software versions 11.44, 11.42, and 11.40.</p>
<p>Additional information is scheduled for release on May 26th, 2014.</p>
<p>For information on cPanel & WHM Versions and the Release Process, read our documentation at: <a href="http://go.cpanel.net/versionformat" title="http://go.cpanel.net/versionformat" target="_blank">http://go.cpanel.net/versionformat</a></p>
<p>For the PGP-signed message, see <a href="http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-Accouncement.txt" title="http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-Accouncement.txt" target="_blank">http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-Accouncement.txt</a></p>
-
We've previously shown how responsiveness works in the AdminCP, but I'd like to briefly introduce responsiveness on the front end, and pick a few views to show you as examples (this will be a screenshot-heavy entry!)
What is responsiveness?
Before we get to that, allow me to recap what responsiveness is. Responsive design is a method by which you design one page in such a way that it adapts for the available screen space on the device the user is using. This means that one theme handles both the full desktop view and the condensed mobile view with some clever CSS, in contrast to 3.x where we had a separate mobile skin.
When we took the decision to use responsive design for IPS4, one key aim was to ensure that the mobile view isn't feature reduced. We want all functionality and all areas of the suite to be available regardless of device, and with only a couple of exceptions we're on track to deliver this.
Primary navigation
In mobile view, the primary navigation collapses and moves to a menu accessible with the icon in the top-right. The breadcrumb becomes a 'Back' control, taking you up a level from the current page:
The primary navigation, when opened, looks like this:
Moderation
Given that the responsive theme supports all functionality, this naturally includes moderation. IPS4 support full moderation capabilities regardless of the device you're using. Here's an example of moderating images in Gallery. Notice the menu to quickly select types of content to moderate, as well as the floating toolbar at the bottom of the screen to choose actions.
Settings page
Taking the settings area as an example, here's the same screen at the three supported breakpoints - desktop, tablet and mobile.
Profile view
Here's profile view (which we covered in more detail here) as seen on a phone:
Calendar
Calendar views on mobile:
Gallery
Viewing albums & images in a category:
Blog
The blog homepage:
And viewing a blog:
Forums
Submitting a topic on mobile:
Conclusion
So that wraps up this round-up of responsive views. Naturally, there's many more views than this in the suite and we can't show screenshots of every single one, but hopefully this entry has given you a taste of a variety of views, and a better idea of how we're approaching mobile users in IPS4.
As always, screenshots are from pre-release software and are subject to change before release.
Attached Thumbnails
-
-
Profiles are one of the key sections of a community, as everyone knows. They are what represent your users; where their information is shown and their content is gathered. When users contribute quality content to your community, their profile is where other users go to find it in one place. In short, it's an important area.
In IPS4, profiles have had a complete makeover. There's a lot to cover, so I'll start with a numbered screenshot, and address each section individually (please note this is a large image; if you're on mobile, you may wish to wait to view it full-size).
1 - Header images
In 3.x, users could customize their profiles by uploading a background image. In practice, this didn't work well when the software was integrated into an existing website design, and the options presented often ended up with a garish profile. In addition, social networks like Facebook and Twitter have adjusted user expectations on how profiles are customized.
In IPS4, instead of page backgrounds, users instead get to customize their profile header image. This provides the best of both worlds - ample space to choose something creative, but it's contained and won't mess up a website design.
2 - Reputation
The user's current reputation count is shown prominently in the info column, letting other users know if this member is an asset to the community.
3 - Warnings
For moderators/staff, the profile now provides quick access to warning tools. By expanding the panel, they can see a brief history of recent warnings:
And clicking one of these pops up the warning details:
New warnings can also be issued inline, of course.
4 - Followers
Followers replace friends in IPS4, and the user's followers are shown in this block. Instead of requiring mutual acknowledgement as with the traditional friends system (an approach that isn't entirely useful in a community of anonymous users), in IPS4 you follow users whom you find interesting in order to be updated when they contribute to the community. Users can of course prevent others from following them, if that is a concern to them. We'll have more details on how followers works in a later entry.
5 - About the user
Traditional information about the user is shown in the next block, including custom profile fields.
6 - Recent visitors
Recent visitors to this user's profile are shown next. As with 3.x, this can be toggled on and off by the profile owner. In 4.x, this is done by clicking the X in the corner of the block.
7 - Follow/Message member
These primary buttons enable others to follow the user (if enabled), and send a new message inline, without leaving the page.
8 - User's content
In 3.x, browsing a user's content was handled by the search area of the community (though links were available in the user's profile and hovercard). We felt this wasn't the best place for it, though. After all, a user's content should be available in their profile.
That's what this button does. It switches the profile view to 'content browsing' mode, where you can see everything the user has done. It's smooth and buttery, and because it all loads dynamically, it feels like a true part of the profile. Here's a video of it in action (14MB)
9 - Long-form custom profile fields
IPS4 supports various kinds of custom profile fields, including rich-text editors for long, styled content. Those custom profile fields will be shown in the main section of the profile where they get the space they need to be effective. About Me is a default field, but you can of course add your own too for your users to fill in.
10 - User's 'Nodes'
A node is a fancy developer term for content containers that a user creates themselves, like gallery albums and blogs (as opposed to forum categories, which are created by the admin). In IPS4, a user's 'nodes' are shown right on their profile page, making it easy to find more interesting content from the user. In this screenshot, you can see my profile is showing my albums, my blogs, and other blogs to which I contribute.
For developers, supporting your application in this section is easy too.
11 - Status feed
The status feed from 3.x is of course still present, and the interaction is all inline without leaving the page.
Conclusion
That's profiles in 4.0. We hope the new focus on content and streamlined design provides a better experience for your users!
As always, screenshots are from pre-release software and are subject to change before release.
Attached Thumbnails
-
-
A while ago I blogged about some of the internationalization and localization changes in 4.0. One of the things I mentioned is a "Visual Language Editor" which allows you to quickly change any of the verbiage used throughout the suite just by clicking on a word of phrase.
Not only is the really useful for those who want to translate the IPS Community Suite into another language, it can also be used to easily change words and phrases as you like (for example if you want a link to say "Register" rather than "Sign up") - it can even be used to rename forums, categories, etc.
Before I couldn't show you it in action as we weren't quite ready to show the front-end interface but now here's a video of the feature in action:
Attached Thumbnails
-
-
IP.Board 3.x supports "My Media", which enables you to share other content from within the community by using the "My Media" button on the editor. This results in:
While this works, it has a few shortcomings:
- The styling of the block isn't really designed for each type of content it might show
- Users have to click the My Media button, then browse for the item, when they probably already know the URL they want to link to
- Not all content types are supported; e.g. you can't use My Media to link to a topic.
- For developers, implementing support for My Media in other applications was a process involving extension files and multiple methods
We wanted to make sharing existing content much easier in IPS4, both for users and developers. "Embeddable content" is our solution.
How to use it
To embed content from elsewhere in the community, here's a step by step guide:
- Paste a link to it
That's it! When you paste a link to almost any kind of content, whether it's a forum topic, calendar event, gallery album or more, IPS4 will automatically embed a small preview of the content, designed specifically for that content. In order to not disrupt an existing paragraph of text however, the embedded block won't be used if the link is surrounded by text. Embedded content only shows if the link is pasted on its own line, giving users more control over their post.
Here's what a post looks like with a few embedded types shown:
Embedded content can be used anywhere as you'd expect, including posts and comments, but also status updates, IP.Content articles, and so on.
For developers
Supporting embedded content in your apps is very easy; your content model simply has to implement IPSContentEmbeddable:
class _Topic extends IPSContentItem implements ... IPSContentEmbeddable
Your controller then simply looks for an embed request and returns HTML - that's it. Our default blocks also have their own template and CSS file, so theme designers can change the styling on a per-theme basis.Conclusion
Our hope is that this easier method of embedding content encourages more cross-posting and highlighting of good content in IPS4. The process is almost wholly automatic, meaning users don't have to think in order to share great content with others.
As always, screenshots are from pre-release software and are subject to change before release.
Attached Thumbnails
-
One of the most distinctive uses for a forum is that of a 'knowledge community', where users visit in order to get help with a problem or question. Our own Pre-sales forum uses this model, but we also have many customers who run forums that are almost exclusively knowledge-based (such as Roxio and Evernote).
IP.Board 3.x introduced the concept of a "Best Answer" flag, allowing topic creators and staff the ability to highlight the reply to a topic that they deem best answers the question. This shows a snippet of the post in green at the top of the topic. Many sites now use this feature, but for IPS4 we wanted to expand the functionality offered for these types of forums.
Question & Answer Forums
Forums in IPS4 will enable you to set a forum as a "Q&A Forum". This adjusts the forum to be specifically designed for knowledge sharing. Instead of topics and posts, it has questions and answers.
On the forum index, the forum will be shown as a Q&A forum with its forum icon (unless you've set a custom forum icon for that forum):
Forum View
When you enter the forum, instead of the normal topic listing, you see a list of questions:
You'll see here that questions that have a best answer are indicated with a green checkbox. You'll also notice that one of the stats on the right hand side is 'votes'. In Q&A forums, questions can be voted up or down by users, in order to give them more visibility. More popular questions will bubble to the top (depending on the age of the question). You can of course still order by more traditional methods, if you wish.
Popular questions from the past 30 days are also highlighted at the top of the forum, providing an up-to-date 'knowledgebase' that other users can see. Using our own presales forum as an example, if someone asked a question about an important feature and it was voted highly, other users visiting the forum would see it right at the top, which is great for content visibility and helping users get the answers they're looking for with minimal fuss.
Question View
Clicking into a question shows an adjusted topic view:
The question (i.e. the first post) is shown at the top of the page on all pages, with answers listed below. You'll see that replies can also be voted up and down - in fact, this determines the order in which answers are shown inside the question. Popular answers, as determined by the community, will appear at the top, with worse or incorrect answers being pushed down. This is great for quickly finding the best information for the question at hand; in IP.Board 3.x, all too often a high-quality answer will appear in the middle of a topic and unfortunately go unnoticed by the topic creator or others looking for an answer. You can still sort answers by date, if you prefer.
In the screenshot above you can also see the first post is marked as the best answer. "Best Answer" always appears at the top, regardless of its vote count.
Question/answer ratings are separate from reputation, so you can of course still "Like" posts even if you don't think they're a good answer to the question.
Conclusion
So that's the new Q&A feature for IP.Board. We think it'll a big step forward for knowledge-driven communities using IP.Board, or even individual forums in other communities (like our pre-sales forum), helping users find answers to their questions more efficiently, and ultimately making your communities more useful.
As always, screenshots are from pre-release software and are subject to change before release.
Attached Thumbnails
-
-
http://forums.audioholics.com/forums/amps-pre-pros-receivers/18964-denon-zone-2-help.html
In the "System setup menu" there should be an option for "Zone 2 control," select this. In that menu look for "Zone 2 vol. level," select that. Mine gives the options of 0db, -40db, or variable. You probably have the -40db option selected, change this to variable. Then make sure when you use your remote to press the "Zone 2" button to enable zone 2 volume changes.
-
http://www.avforums.com/threads/avr-1907-zone-2-woes.529441/
First thing to bear in mind is that only analog sources are output to Zone 2. Make sure the Mode Selector 1 switch on the remote is set to Audio then switch the Mode Selector 2 switch to Zone 2. Press the Zone 2 ON button to switch on Zone 2. Then press one of the function buttons to select your Source e.g CD. You then use the Volume Buttons as normal. The default volume setting is off so just increase the volume up to the level you want.You can also select Zone 2 from the front panel buttons by pressing the Zone 2/Rec Select button. Zone 2 Source will appear on the display and the Zone 2 indicator should light up and then you turn the main function knob to the Input you want to listen to.
-
SUMMARY
cPanel, Inc. has released EasyApache 3.24.18 with PHP versions 5.5.12 and 5.4.28. This release addresses the PHP vulnerability CVE-2014-0185 with the fix to a bug in the FPM package. We encourage all PHP users to upgrade to PHP version 5.5.12 or PHP version 5.4.28.AFFECTED VERSIONS
All versions of PHP version 5.5 before 5.5.12.
All versions of PHP version 5.4 before 5.4.28.SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:CVE-2014-0185 – MEDIUM
PHP 5.5.12
Fixed bug in the FPM package related to CVE-2014-0185.PHP 5.4.28
Fixed bug in the FPM package related to CVE-2014-0185.SOLUTION
cPanel, Inc. has released EasyApache 3.24.18 with the updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP.REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0185
http://www.php.net/ChangeLog-5.php#5.4.28
http://www.php.net/ChangeLog-5.php#5.5.12For the PGP-signed message, see EA-CVE-3-24-18-Signed.
View the full article -
cPanel & WHM software version 11.38 has reached End of Life.
In accordance with our EOL policy [http://go.cpanel.net/longtermsupport],11.38 will continue functioning on servers. The last release of cPanel & WHM 11.38, 11.38.2.23, will remain on our mirrors indefinitely. You may continue using this last release, but no further updates, such as security fixes and installations, will be provided for 11.38. Older releases of cPanel & WHM 11.38 will be removed from our mirrors.
We strongly recommend that all customers migrate any existing installations of cPanel & WHM 11.38 to a newer version (either 11.40 or 11.42).
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.
About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.For the PGP-signed message, see 11.38.EOL.
View the full article -
-
-
-
Click Start, type regedit in the Start Search box, and then press ENTER.
- Locate and then right-click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Point to New, and then click DWORD Value.
- Type EnableLinkedConnections, and then press ENTER.
- Right-click EnableLinkedConnections, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Exit Registry Editor, and then restart the computer.
- Locate and then right-click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-
We are releasing patches for IP.Board 3.3.x, IP.Board 3.4.x and IP.Nexus 1.5.x to address three potential file inclusion issues recently reported to us, as well as one cross site scripting issue reported to us.
It has been brought to our attention that certain PHP configurations allow for a potential file inclusion security issue through some of our files intended to be run from the command line. We are releasing patches today to resolve this issue.
Additionally, it has been brought to our attention that through social engineering it is possible to direct a user to a page which can trigger an XSS (cross site scripting) attach. We are also releasing a patch today to resolve this issue.
To apply the patch
Simply download the attached zip for your IP.Board version and upload the files to your forum server. You do not need to run any scripts or the upgrade system. The attached zip files also include the patch for IP.Nexus, if you are using IP.Nexus.IP.Board 3.3.x
3.3.x.zip 28.75KB 140 downloadsIP.Board 3.4.x
3.4.x.zip 31.31KB 1420 downloadsIf you are an IPS Community in the Cloud client running IP.Board 3.3 or above, no further action is necessary as we have already automatically patched your account. If you are using a version older than IP.Board 3.3, you should contact support to upgrade.
If you install or upgrade to IP.Board 3.4.6 or IP.Nexus 1.5.9 after the date and time of this post, no further action is necessary as we have already updated the main download zips.
We extend our thanks to sijad ( http://community.invisionpower.com/user/194954-sijad/ ) for notifying us of the file inclusion issue privately and promptly.
We extend our thanks to Christian Schneider (@cschneider4711) (http://www.christian-schneider.net/) for notifying us of the cross site scripting issue as well.
View the full article -
One of IPS Community Suite 4's main goals was to overhaul the user interface. We wanted to go further than just a few cosmetic changes to the theme, we wanted to examine each part of the user interface and see what could be improved. The community suite has a lot of functionality and there's a lot of tools that we all use regularly so we felt that any improvements on these common areas would be very welcomed.
I'd like to focus on such a change in IP.Downloads.
IP.Downloads has always had version control. Essentially, this allows you to upload new versions and keep a historical record of the older versions. You can read change logs and even download older versions where allowed.
Let's take a look at how IP.Board 3 does it currently:
Although there's nothing particularly wrong with this form, we can see that it mixes up the ability to upload a new version with the general file settings such as title and description. The end result is a bit confusing and a little intimidating the first few times you use it. The section to add your change log is a little lost in the file information block.
Now lets take a look at how IPS Community Suite 4 handles this:
The first step is to enable download revisions for this category inside the Admin CP.
Now that this has been enabled, lets navigate to the "File Actions" menu to upload a new version.
This loads the "Upload a new version form". As you can see, it's very clean, very easy to follow and isn't cluttered with settings and text fields that you aren't interested in editing.
Once you've uploaded your new version, you can see what's new on the file listing page.
You can even view previous change logs and the download link without leaving the page.
Conclusion
As this blog entry shows, IPS Community Suite 4 is really focused on making real improvements to everyday interfaces. We believe that these changes are very important to modernise the suite and to make it as easy to use as possible.
Attached Thumbnails
-
-
http://support.quickbooks.intuit.com/support/articles/SLN64929
Resolve QuickBooks performance issues, Part 4, Manage your data fileIf you are having issues with the performance of your QuickBooks installation, your company file may be the root cause. You have options you can use to resolve such issues.
Be sure that all QuickBooks installations, including the data manager on the host /server, are running the latest release of your current QuickBooks version. To update QuickBooks, from the menu bar, select Help and then choose Update QuickBooks.
If these solutions don't resolve the issue, you can read discussions and post messages and questions relating to your issue on the Intuit QuickBooks Community site for free. You can contact an agent for additional guidance. Fees may apply.
Your company data file sizeQuickBooks' performance decreases as the size of the company file increases. There are no actual limits on the size of your company data file, but performance may be hindered if your network is not capable of handling files that have:
- More than 500 MB in Pro or Premier.
- More than 1.5 GB in QuickBooks Enterprise Solutions.
- More than seven years of transaction history.
Set company and personal preferencesOptimize operationsMaintain lists
11.44 Now in RELEASE Tier
in CPanel News
Posted
6/17/2014
Houston, TX -
cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which is now available in the RELEASE tier.
cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more.
Transfer & Restore Renovation
From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits.
Configuration Clusters
cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency.
Paper Lantern
With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes.
Support Access
Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks.
Detailed information on all cPanel & WHM 11.44 features can be found at https://documentation.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.
To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.
View the full article