cPanelSecurity.com

———————————————
Summary:
———————————————

Due to a recently discovered bug, it will be necessary for users
who are running the CURRENT, RELEASE and STABLE branches to run a cPanel software update.

———————————————
Description:
———————————————
An uncompilied mysqladmin script allowed an exploited copy of MySQL.pm to be places within the directory location of mysqladmin. This copy of MySQL.pm would be given preference by mysqladmin due to the precedence order of perl module searches. A malicious user could then use an exploited copy of MySQL.pm to elevate their system access (including root access).

A patch for this issue has been released. (more…)

This cPanel Security Vulnerability has been out there for quite a while, but I've seen some servers still being exploited…!

(2004)

———————————————
Summary:
———————————————

Due to a recently discovered bug, it will be necessary for users
following the STABLE and RELEASE branches to disable the feature that
allows users to reset their password. For those following the EDGE and
CURRENT branches, the latest updates have been fixed.  A review of the
RELEASE tree is still pending, and fixed RELEASE builds may be available
in the next 48 hours as well.

———————————————
Description:
———————————————

The feature "Allow cPanel users to reset their password via email",
found in WebHostManager in the "Tweak Settings" section allows for a
cpanel user to run some commands as the root user.
This hole is built in to all compiled cpanel binaries and as such can
not be "patched".
(more…)