cPanel Horde Vulnerability Found - GoFuckYourself.com

DateDoc · 03-06-2008, 07:19 PM

I just got this email and though I'd pass along this warning.....

Quote:

An arbitrary file inclusion vulnerability has been discovered in the Horde
webmail application. At present, we can confirm that this security
vulnerability in question affects Horde 3.1.6 and earlier. Based on
incomplete information at this time, we also believe this affects Horde
Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware
at this time).

cPanel customers should update their cPanel and WHM servers immediately to
prevent any chance of compromise. The patch will be available in builds
11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated
builds will be available immediately to all fast update servers. The
builds will be available to all other update servers within one hour of
this posting.

To check which version of cPanel and WHM is on your server, simply log
into WebHost Manager (WHM) and look in the top right corner, or execute
the following command from the command line as root:

/usr/local/cpanel/cpanel -V

You can upgrade your server by navigating to 'cPanel' -> 'Upgrade to
Latest Version' in WebHost Manager or by executing the following from the
command line as root:

/scripts/upcp

It is recommended that all use of Horde 3.1.6 and earlier be stopped (on
cPanel and non-cPanel systems alike) until Horde updates can be applied.
You can disable Horde on your cPanel system by unchecking the box next to
'Server Configuration' -> 'Tweak Settings' -> 'Mail' -> 'Horde Webmail'
within WHM, and saving the page with the new settings.

baddog · 03-06-2008, 07:20 PM

Resource hog with exploits, long live DirectAdmin

Jet - BANNED FOR LIFE · 03-06-2008, 07:23 PM

Horde?

What if I'm on Alliance side? Is it safe?

XSecurityAudit · 03-06-2008, 07:51 PM

Quote:

Originally Posted by Jet

Horde?

What if I'm on Alliance side? Is it safe?

Do you happen to be the same Jet that wrote the bindscanner a long time ago? ADM!ADM!ADM! If not, nevermind

Kick Ass Chat · 03-06-2008, 08:14 PM

Quote:

Originally Posted by baddog

Resource hog with exploits, long live DirectAdmin

Agreed...

CyberHustler · 03-06-2008, 08:19 PM

DirectAdmin > cPanel

Altheon · 03-06-2008, 10:19 PM

DateDoc, thank you for posting the info. I just updated my server.

John. · 03-06-2008, 10:23 PM

Thanks dude

SiMpLe · 03-06-2008, 10:25 PM

For The Horde!

DateDoc · 03-07-2008, 10:26 AM

bump for the morning crew

03-06-2008, 10:23 PM	#8
John. Confirmed User Industry Role: Join Date: Jul 2007 Location: Europe Posts: 2,264	Thanks dude __________________ Sig too old.

03-06-2008, 10:25 PM	#9
SiMpLe Confirmed User Join Date: Feb 2002 Location: Porn Central - California Posts: 3,221	For The Horde! __________________ Sean Holland Vice President OrbitalPay / Global Electronic Technology (GET) SKYPE: iam.sean ::: sholland at orbitalpay.com 888-775-1500

03-07-2008, 10:26 AM	#10
DateDoc Outside looking in. Industry Role: Join Date: Feb 2005 Location: To Hell You Ride Posts: 14,243	bump for the morning crew __________________

03-06-2008, 07:20 PM	#2
baddog So Fucking Banned Industry Role: Join Date: Apr 2001 Location: the beach, SoCal Posts: 107,089	Resource hog with exploits, long live DirectAdmin

03-06-2008, 07:23 PM	#3
Jet - BANNED FOR LIFE So Fucking Banned Join Date: Sep 2002 Posts: 7,515	Horde? What if I'm on Alliance side? Is it safe?

03-06-2008, 08:19 PM	#6
CyberHustler Masterbaiter Industry Role: Join Date: Feb 2006 Posts: 26,144	DirectAdmin > cPanel

03-06-2008, 10:19 PM	#7
Altheon Confirmed User Join Date: May 2004 Posts: 506	DateDoc, thank you for posting the info. I just updated my server.