29 comments

[ 3.1 ms ] story [ 76.3 ms ] thread
This is the upgrade procedure for a critical security vulnerability found here: http://www.webhostingtalk.com/showthread.php?t=1275572
Wow that guy is a complete nut. Google even recently said 7 days is enough time (after their employee released that exploit), and this guy had 2 weeks (which is actually more than anyone usually gets, if they get anything).
Google said 7 days for active exploits; critical vulnerabilities that are not being actively exploited are given 60 days.

I agree that the responses from the company in the linked thread are awful.

Errmmm, is that _really_ asking for root ssh credentials over an unencrypted http form?

_REALLY?_

If you're running CPanel, security is probably not a priority for you anyway.
"Special characters may not work."

I guess we should change our root passwords to "root123" so upgrading becomes easier.

I guess a real script with "curl zamfoo.com/?license=$ZAMFOO_LICENSE" | sh" was too hard so I'm better off giving my root password to strangers.
I hope you are bring sarcastic. Never ever do something like that! Or would you also blindly execute anything I tell you to?
That's the point. That's exactly what the form is having you do.
Sarcastic. Not too long ago, npm install was done that way. And IIRC I had to install some Python package manager that way too (or was it PHP?).
That's still the recommended way to install Distribute (for Python) [1] -- though they at least don't recommend you pipe it to sh directly.

Composer (for PHP) [2] also uses this install method, but you can just download the Phar file from their Web site directly -- all the sh script does is check PHP settings and dependencies.

[1]: http://pythonhosted.org/distribute/

[2]: http://getcomposer.org/

See this thread for their response: http://www.webhostingtalk.com/showthread.php?t=1275572.

I tried submitting it to HN, but I receive an error "stop spamming us, you are wasting your time". Anyone knows why this is? (I'm most definitely not a spammer)

That thread is absolutely incredible.
This is part of what the developer released to fix the security vulnerability disclosed responsibly on WHT [1] tl;dr of that thread by the OP [2] . Beyond the ridiculous response of the developer in the thread, the fix released doesn't even fix the issue. Some other security researcher released the root vuln [3] and basically every install of this software is about to be rooted. And that's all before the ridiculousness of passing a root password over http, which strips "special characters" that is used to login to your box and upgrade their software. If you read the linked thread, it's like a case study on how to NOT respond to a security disclosure.

[1] - http://www.webhostingtalk.com/showthread.php?t=1275572 [2] - http://www.webhostingtalk.com/showpost.php?p=8727714&postcou... [3] - http://localhost.re/p/zamfoo-120-vulnerability

Also a clear case of how not to write software, I mean the architecture is just designed for insecurity. Always been very suspicious of the whole class of "control panel" software from a security angle.
The upgrading process seems easy Just have to send your IP address, root user name, password, and license key through a form...and you can do it through the fast http scheme rather than the slow https.
1. What is Zamfoo? I've clicked through a few Google results and all I see are references to WHM and various levels of being a "Reseller". I guess I'm not irritated by Zamfoo's lack of a great About page as I am about the fact that there are still business tech acronyms that I've never encountered before...and I thought mastering "CMS" and "ROI" was good enough

2. It seems like this is mostly a one-person shop, with the site owner answering the emails and forum discussions. Ugh, nothing like having to maintain holey software yourself...though obviously, I feel much sorrier for anyone who's gotten/is getting hacked.

Zamfoo is a rather silly plugin for cPanel/WHM that allows a server admin to create accounts that can create reseller accounts. Effectively, it's taking the concept of a reseller account (a cPanel account that can create cPanel accounts) and iterating it, several times. For instance, it adds a new "master reseller" account type that can create resellers (which can create normal accounts), as well as "alpha resellers" which can create master resellers (which can create resellers which can create normal accounts).

If you're wondering what the practical purpose of this is... there isn't one, really. But apparently some WHM resellers (and iterated resellers, I suppose) are interested in this sort of thing for some reason, so it exists.

Personally, I just feel sorry for the end users at the far end of this software, behind as many as three or four levels of reselling. That's got to be a pretty damn awful customer experience.

At first I was going to say, "But yes, what does 'WHM' mean?"...but then I just Googled it up and see that it's some other kind of software, not a business term:

http://en.wikipedia.org/wiki/WHM#WHM_.28Web_Host_Manager.29

> WebHost Manager (WHM) is a web-based tool used by server administrators and resellers to manage hosting accounts on a web server. WHM listens on ports 2086 and 2087 by default.

I was thinking it meant "warehouse management", with all the "reselling" involved...I also figured the kind of people who might install it are looking for some quick fix (if insecure) software to manage their warehouses...

cPanel and WHM are two components of the same software package. cPanel is the customer-facing side for managing hosting accounts; WHM is the other end, for managing those accounts and the server as a whole.
Since the exploit lets you easily root the install, couldn't zamfoo just patch all his users machines themselves?

That would make about as much sense as everything else they've done....

People who use cpanel should not be allowed near computers.
This has nothing to do with cPanel. It's about a third party plugin created by someone with no affiliation to cPanel who wrote bad code and refused to fix it.
Plus there's this gem [1] about a "kill switch" that disables every single install of the software.

"not only that. there is an emergency kill switch. if you release the patch i will pull the switch and no one can use the software. your exploit will not work if i do that. the plugin will become useless until i turn it back on."

[1] http://www.webhostingtalk.com/showpost.php?p=8724954&postcou...

wouldn't it be better to just say that there's a specific type of vulnerability, and then explain how long it has been?

ultimately, it's up to customers and end users to decide if they can tolerate a security hole being open for a few weeks or months. to that end, maybe it's better to go down the food chain and look at what hosts are using WHM, and publish that list. end users could see if their provider is exposed.