Wow that guy is a complete nut. Google even recently said 7 days is enough time (after their employee released that exploit), and this guy had 2 weeks (which is actually more than anyone usually gets, if they get anything).
That's still the recommended way to install Distribute (for Python) [1] -- though they at least don't recommend you pipe it to sh directly.
Composer (for PHP) [2] also uses this install method, but you can just download the Phar file from their Web site directly -- all the sh script does is check PHP settings and dependencies.
I tried submitting it to HN, but I receive an error "stop spamming us, you are wasting your time". Anyone knows why this is? (I'm most definitely not a spammer)
This is part of what the developer released to fix the security vulnerability disclosed responsibly on WHT [1] tl;dr of that thread by the OP [2] . Beyond the ridiculous response of the developer in the thread, the fix released doesn't even fix the issue. Some other security researcher released the root vuln [3] and basically every install of this software is about to be rooted. And that's all before the ridiculousness of passing a root password over http, which strips "special characters" that is used to login to your box and upgrade their software. If you read the linked thread, it's like a case study on how to NOT respond to a security disclosure.
Also a clear case of how not to write software, I mean the architecture is just designed for insecurity. Always been very suspicious of the whole class of "control panel" software from a security angle.
The upgrading process seems easy
Just have to send your IP address, root user name, password, and license key through a form...and you can do it through the fast http scheme rather than the slow https.
1. What is Zamfoo? I've clicked through a few Google results and all I see are references to WHM and various levels of being a "Reseller". I guess I'm not irritated by Zamfoo's lack of a great About page as I am about the fact that there are still business tech acronyms that I've never encountered before...and I thought mastering "CMS" and "ROI" was good enough
2. It seems like this is mostly a one-person shop, with the site owner answering the emails and forum discussions. Ugh, nothing like having to maintain holey software yourself...though obviously, I feel much sorrier for anyone who's gotten/is getting hacked.
Zamfoo is a rather silly plugin for cPanel/WHM that allows a server admin to create accounts that can create reseller accounts. Effectively, it's taking the concept of a reseller account (a cPanel account that can create cPanel accounts) and iterating it, several times. For instance, it adds a new "master reseller" account type that can create resellers (which can create normal accounts), as well as "alpha resellers" which can create master resellers (which can create resellers which can create normal accounts).
If you're wondering what the practical purpose of this is... there isn't one, really. But apparently some WHM resellers (and iterated resellers, I suppose) are interested in this sort of thing for some reason, so it exists.
Personally, I just feel sorry for the end users at the far end of this software, behind as many as three or four levels of reselling. That's got to be a pretty damn awful customer experience.
At first I was going to say, "But yes, what does 'WHM' mean?"...but then I just Googled it up and see that it's some other kind of software, not a business term:
> WebHost Manager (WHM) is a web-based tool used by server administrators and resellers to manage hosting accounts on a web server. WHM listens on ports 2086 and 2087 by default.
I was thinking it meant "warehouse management", with all the "reselling" involved...I also figured the kind of people who might install it are looking for some quick fix (if insecure) software to manage their warehouses...
cPanel and WHM are two components of the same software package. cPanel is the customer-facing side for managing hosting accounts; WHM is the other end, for managing those accounts and the server as a whole.
This has nothing to do with cPanel. It's about a third party plugin created by someone with no affiliation to cPanel who wrote bad code and refused to fix it.
Plus there's this gem [1] about a "kill switch" that disables every single install of the software.
"not only that. there is an emergency kill switch. if you release the patch i will pull the switch and no one can use the software. your exploit will not work if i do that. the plugin will become useless until i turn it back on."
wouldn't it be better to just say that there's a specific type of vulnerability, and then explain how long it has been?
ultimately, it's up to customers and end users to decide if they can tolerate a security hole being open for a few weeks or months. to that end, maybe it's better to go down the food chain and look at what hosts are using WHM, and publish that list. end users could see if their provider is exposed.
29 comments
[ 3.1 ms ] story [ 76.3 ms ] threadI agree that the responses from the company in the linked thread are awful.
_REALLY?_
The mind reels.
I guess we should change our root passwords to "root123" so upgrading becomes easier.
Composer (for PHP) [2] also uses this install method, but you can just download the Phar file from their Web site directly -- all the sh script does is check PHP settings and dependencies.
[1]: http://pythonhosted.org/distribute/
[2]: http://getcomposer.org/
I tried submitting it to HN, but I receive an error "stop spamming us, you are wasting your time". Anyone knows why this is? (I'm most definitely not a spammer)
[0] https://news.ycombinator.com/item?id=3030992
[1] - http://www.webhostingtalk.com/showthread.php?t=1275572 [2] - http://www.webhostingtalk.com/showpost.php?p=8727714&postcou... [3] - http://localhost.re/p/zamfoo-120-vulnerability
[1] http://www.reddit.com/r/programming/comments/1gfve8/how_not_...
[2] http://www.reddit.com/r/programming/comments/1gfve8/how_not_...
2. It seems like this is mostly a one-person shop, with the site owner answering the emails and forum discussions. Ugh, nothing like having to maintain holey software yourself...though obviously, I feel much sorrier for anyone who's gotten/is getting hacked.
If you're wondering what the practical purpose of this is... there isn't one, really. But apparently some WHM resellers (and iterated resellers, I suppose) are interested in this sort of thing for some reason, so it exists.
Personally, I just feel sorry for the end users at the far end of this software, behind as many as three or four levels of reselling. That's got to be a pretty damn awful customer experience.
http://en.wikipedia.org/wiki/WHM#WHM_.28Web_Host_Manager.29
> WebHost Manager (WHM) is a web-based tool used by server administrators and resellers to manage hosting accounts on a web server. WHM listens on ports 2086 and 2087 by default.
I was thinking it meant "warehouse management", with all the "reselling" involved...I also figured the kind of people who might install it are looking for some quick fix (if insecure) software to manage their warehouses...
That would make about as much sense as everything else they've done....
"not only that. there is an emergency kill switch. if you release the patch i will pull the switch and no one can use the software. your exploit will not work if i do that. the plugin will become useless until i turn it back on."
[1] http://www.webhostingtalk.com/showpost.php?p=8724954&postcou...
ultimately, it's up to customers and end users to decide if they can tolerate a security hole being open for a few weeks or months. to that end, maybe it's better to go down the food chain and look at what hosts are using WHM, and publish that list. end users could see if their provider is exposed.