It has been brought to our attention that a security vulnerability exists in the cPanel Varnish script. It affects Varnish releases 1.8.0-4. 1.2.2b, and older. We urge our subscribers to upgrade to the latest available release. Releases 1.8.0-5 and 1.2.4b have been listed as CRITICAL.

The vulnerability can exploited when you have explicitly granted your reseller(s) root PHP access in WHM or if an insecure plugin has disabled this security feature.

Is it absolutely required that you upgrade the plugin?

No. You can verify whether your server is vulnerable to this attack by verifying the following in WHM:

  1. Login to WHM as root
  2. Navigate to Server Configuration -> Tweak Settings ->Allow PHP to be run by resellers in WHM
  3. If the feature is OFF (default) then your server is NOT vulnerable.

Per cPanel, it is NOT recommended to disable this security feature:

Special care should be taken when enabling this functionality since PHP will be running as root. Any application you permit to run under this setup should make special security considerations to avoid catastrophe.

It is currently believed that the individual who has reported the vulnerability is the only person to be aware of this flaw. However, as a precaution, we urge all subscribers to upgrade immediately.

Should you have any question or comment regarding this announcement, please open a request in the Varnish Script support queue.

UNIXy Clients: Your server(s) has been verified and patched accordingly.


cPanel Varnish Plugin Team

Sunday, June 2, 2013

« Back