

Upgrading a cPanel plugin - showsover
http://www.zamfoo.com/updatezamfoo

======
sikhnerd
This is part of what the developer released to fix the security vulnerability
disclosed responsibly on WHT [1] tl;dr of that thread by the OP [2] . Beyond
the ridiculous response of the developer in the thread, the fix released
doesn't even fix the issue. Some other security researcher released the root
vuln [3] and basically every install of this software is about to be rooted.
And that's all before the ridiculousness of passing a root password over http,
which strips "special characters" that is used to login to your box and
upgrade their software. If you read the linked thread, it's like a case study
on how to NOT respond to a security disclosure.

[1] -
[http://www.webhostingtalk.com/showthread.php?t=1275572](http://www.webhostingtalk.com/showthread.php?t=1275572)
[2] -
[http://www.webhostingtalk.com/showpost.php?p=8727714&postcou...](http://www.webhostingtalk.com/showpost.php?p=8727714&postcount=148)
[3] -
[http://localhost.re/p/zamfoo-120-vulnerability](http://localhost.re/p/zamfoo-120-vulnerability)

~~~
DCoder
See also discussion on Reddit [1] and a particularly interesting comment [2].

[1]
[http://www.reddit.com/r/programming/comments/1gfve8/how_not_...](http://www.reddit.com/r/programming/comments/1gfve8/how_not_to_handle_a_critical_security/)

[2]
[http://www.reddit.com/r/programming/comments/1gfve8/how_not_...](http://www.reddit.com/r/programming/comments/1gfve8/how_not_to_handle_a_critical_security/cajwaja)

------
Avalaxy
See this thread for their response:
[http://www.webhostingtalk.com/showthread.php?t=1275572](http://www.webhostingtalk.com/showthread.php?t=1275572).

I tried submitting it to HN, but I receive an error "stop spamming us, you are
wasting your time". Anyone knows why this is? (I'm most definitely not a
spammer)

~~~
nwh
That thread is absolutely incredible.

------
showsover
This is the upgrade procedure for a critical security vulnerability found
here:
[http://www.webhostingtalk.com/showthread.php?t=1275572](http://www.webhostingtalk.com/showthread.php?t=1275572)

~~~
thejosh
Wow that guy is a complete nut. Google even recently said 7 days is enough
time (after their employee released that exploit), and this guy had 2 weeks
(which is actually more than anyone usually gets, if they get anything).

~~~
DanBC
Google said 7 days for active exploits; critical vulnerabilities that are not
being actively exploited are given 60 days.

I agree that the responses from the company in the linked thread are awful.

------
bigiain
Errmmm, is that _really_ asking for root ssh credentials over an unencrypted
http form?

_REALLY?_

~~~
jiggy2011
If you're running CPanel, security is probably not a priority for you anyway.

------
aghull
Since the exploit lets you easily root the install, couldn't zamfoo just patch
all his users machines themselves?

That would make about as much sense as everything else they've done....

------
joshguthrie
I guess a real script with "curl zamfoo.com/?license=$ZAMFOO_LICENSE" | sh"
was too hard so I'm better off giving my root password to strangers.

~~~
hnha
I hope you are bring sarcastic. Never ever do something like that! Or would
you also blindly execute anything I tell you to?

~~~
joshguthrie
Sarcastic. Not too long ago, npm install was done that way. And IIRC I had to
install some Python package manager that way too (or was it PHP?).

~~~
LeafStorm
That's still the recommended way to install Distribute (for Python) [1] --
though they at least don't recommend you pipe it to sh directly.

Composer (for PHP) [2] also uses this install method, but you can just
download the Phar file from their Web site directly -- all the sh script does
is check PHP settings and dependencies.

[1]:
[http://pythonhosted.org/distribute/](http://pythonhosted.org/distribute/)

[2]: [http://getcomposer.org/](http://getcomposer.org/)

------
tsigo
Plus there's this gem [1] about a "kill switch" that disables every single
install of the software.

"not only that. there is an emergency kill switch. if you release the patch i
will pull the switch and no one can use the software. your exploit will not
work if i do that. the plugin will become useless until i turn it back on."

[1]
[http://www.webhostingtalk.com/showpost.php?p=8724954&postcou...](http://www.webhostingtalk.com/showpost.php?p=8724954&postcount=17)

~~~
elliotanderson
Kinda scary, considering this is the developers website (hosted on the same
server as zamfoo.com) right now: [http://meccahost.net](http://meccahost.net)

------
quchen
"Special characters may not work."

I guess we should change our root passwords to "root123" so upgrading becomes
easier.

------
astar
The upgrading process seems easy Just have to send your IP address, root user
name, password, and license key through a form...and you can do it through the
fast http scheme rather than the slow https.

------
wildgift
wouldn't it be better to just say that there's a specific type of
vulnerability, and then explain how long it has been?

ultimately, it's up to customers and end users to decide if they can tolerate
a security hole being open for a few weeks or months. to that end, maybe it's
better to go down the food chain and look at what hosts are using WHM, and
publish that list. end users could see if their provider is exposed.

------
SimHacker
People who use cpanel should not be allowed near computers.

~~~
RKearney
This has nothing to do with cPanel. It's about a third party plugin created by
someone with no affiliation to cPanel who wrote bad code and refused to fix
it.

------
danso
1\. What is Zamfoo? I've clicked through a few Google results and all I see
are references to WHM and various levels of being a "Reseller". I guess I'm
not irritated by Zamfoo's lack of a great About page as I am about the fact
that there are still business tech acronyms that I've never encountered
before...and I thought mastering "CMS" and "ROI" was good enough

2\. It seems like this is mostly a one-person shop, with the site owner
answering the emails and forum discussions. Ugh, nothing like having to
maintain holey software yourself...though obviously, I feel much sorrier for
anyone who's gotten/is getting hacked.

~~~
duskwuff
Zamfoo is a rather silly plugin for cPanel/WHM that allows a server admin to
create accounts that can create reseller accounts. Effectively, it's taking
the concept of a reseller account (a cPanel account that can create cPanel
accounts) and iterating it, several times. For instance, it adds a new "master
reseller" account type that can create resellers (which can create normal
accounts), as well as "alpha resellers" which can create master resellers
(which can create resellers which can create normal accounts).

If you're wondering what the _practical_ purpose of this is... there isn't
one, really. But apparently some WHM resellers (and iterated resellers, I
suppose) are interested in this sort of thing for some reason, so it exists.

Personally, I just feel sorry for the end users at the far end of this
software, behind as many as three or four levels of reselling. That's got to
be a pretty damn awful customer experience.

~~~
danso
At first I was going to say, _" But yes, what does 'WHM' mean?"_...but then I
just Googled it up and see that it's some other kind of software, not a
business term:

[http://en.wikipedia.org/wiki/WHM#WHM_.28Web_Host_Manager.29](http://en.wikipedia.org/wiki/WHM#WHM_.28Web_Host_Manager.29)

> _WebHost Manager (WHM) is a web-based tool used by server administrators and
> resellers to manage hosting accounts on a web server. WHM listens on ports
> 2086 and 2087 by default._

I was thinking it meant "warehouse management", with all the "reselling"
involved...I also figured the kind of people who might install it are looking
for some quick fix (if insecure) software to manage their warehouses...

~~~
duskwuff
cPanel and WHM are two components of the same software package. cPanel is the
customer-facing side for managing hosting accounts; WHM is the other end, for
managing those accounts and the server as a whole.

