cPanel Protects Against PHP Vulnerability

Posted by: Admin  :  Category: Cpanel

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

cPanel & WHM servers using the default cPanel PHP CGI configuration are not vulnerable to the command line switch vulnerability.

A recently disclosed flaw in PHP’s CGI implementation allows malicious users to remotely view and execute source code. The exploit was documented by the Eindbazen team and documented as CVE-2012-1823.

cPanel & WHM servers are not affected by this, thanks in part to a wrapper script used by cPanel & WHM when Apache is configured to use CGI for the PHP handler. This wrapper script does not pass through any command line options.

Server administrators are encouraged to verify their PHP configuration.

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

When configured to use CGI or FCGI, cPanel & WHM instructs Apache to use the following wrapper script /usr/local/cpanel/cgi-sys/php5 or /usr/local/cpanel/cgi-sys/php4 (The number after “php” is based upon the current major version of PHP.) The unmodified version of the wrapper script looks like the following:

#!/bin/sh

# If you customize the contents of this wrapper script, place 

# a copy at /var/cpanel/conf/apache/wrappers/php$ php_version 

# so that it will be reinstalled when Apache is updated or the 

# PHP handler configuration is changed

exec $ binary

The $ binary placeholder will contain /usr/bin/php or /usr/php4/bin/php By default, no command line parameters are included.

Read CVE-2012-1823

cPanel Inc.

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

Leave a Reply

*