CPanel & Horde Security Question

**pizzicar** · March 9th, 2008, 5:03 PM

I got the email on the Horde/Cpanel security issue. I updated Cpanel to latest per the email instructions - I was looking for clarification that this Cpanel update takes care of the Horde issue - or do I still need to disable Horde until it gets updated.

Thanks

**Kayla** · March 9th, 2008, 5:06 PM

Hi! Long time no see.

Updating cPanel is all that's needed, they included patches in the most recent build.

**pizzicar** · March 9th, 2008, 5:28 PM

Quote:

Originally Posted by Kayla

Hi! Long time no see.

Updating cPanel is all that's needed, they included patches in the most recent build.

Thanks for the clarification. My workplace now filters the "webhosting" tag and during the evenings, I have been so busy that my Surpass time has been severely curtailed

I'll make an effort to get by more often

**Kayla** · March 9th, 2008, 5:30 PM

Wow, filters web hosting? That's interesting.

**psfrog** · March 12th, 2008, 10:39 AM

Quote:

Originally Posted by pizzicar

I got the email on the Horde/Cpanel security issue. I updated Cpanel to latest per the email instructions - I was looking for clarification that this Cpanel update takes care of the Horde issue - or do I still need to disable Horde until it gets updated.

Thanks

Just wanted to add that there is a way to verify that You've got a patched Horde running.
Login via SSH and type:

Code:

/scripts/autorepair check_horde_patch

If Horde is patched and sucure, You will get this:

Quote:

Requesting script ... Done
Auto Repair is running...cPanel Horde Patch Check v1.0: Patch Verified
...Auto Repair is done.

If you get "Not Patched" You need to upgrade or contact support.

**pizzicar** · March 12th, 2008, 7:01 PM

Thanks for that - I just tried it and it came back as patched. The cool thing is I did it from my phone as I am sitting at the airport waiting for my flight. Gotta love PDA phones

**psfrog** · March 12th, 2008, 8:01 PM

Unfortunally Cpanel blog now reports the below (Cpanel needs to be upgraded again):

Quote:

March 10th, 2008

SECURITY ADVISORY: Official Horde Update to 3.1.7 and upgrades to cPanel’s PHP application security model available in cPanel builds 11.18.3 and 11.19.3.

———————-

Summary:
The Horde webmail application framework has been updated to 3.1.7. Upgrades have been made in cPanel’s PHP application security model.

Description:
The Horde webmail application framework has been updated to 3.1.7 for the official fix to the previously announced arbitrary file inclusion vulnerability. cPanel has also made upgrades in cPanel’s PHP application security model for Horde, PHPMyAdmin, and PHPPGAdmin. These upgrades have been made to minimize or mitigate undiscovered vulnerabilities in these third-party applications while running within a cPanel installation.

Fix Details:
It is recommended that all cPanel servers running Horde be updated to either cPanel 11.18.3 or cPanel 11.19.3. If you do not wish to update cPanel, it is strongly recommended that you keep Horde disabled until these updates have been applied. You can disable horde on your cPanel system by unchecking WHM -> Server Configuration -> Tweak Settings -> Mail -> Horde Webmail, and saving with the new settings.

You can check your current version of cPanel by executing:
/usr/local/cpanel/cpanel -V

Updates can be run via the following command executed from a root shell:
/scripts/upcp

Updates can be run through WHM as well. Login to WHM, then select cPanel -> Upgrade
to Latest Version -> Click to Upgrade.

**pizzicar** · March 12th, 2008, 10:18 PM

That's funny. I sent my email and get on my flight. Get back to Phoenix and your last post pops up in my mobile email. Sigh....firing up Putty....

March 9th, 2008, 5:03 PM	#1 (permalink)
pizzicar Surpass Fan On a golden path... Joined in Feb 2006 Lives in Arizona 340 posts Gave thanks: 3 Thanked 16 times	CPanel & Horde Security Question I got the email on the Horde/Cpanel security issue. I updated Cpanel to latest per the email instructions - I was looking for clarification that this Cpanel update takes care of the Horde issue - or do I still need to disable Horde until it gets updated. Thanks __________________ "Argue for your limitations, and sure enough, they are yours"

March 9th, 2008, 5:06 PM	#2 (permalink)
Kayla Surpass Staff Joined in May 2003 Lives in Orlando 23,929 posts Gave thanks: 904 Thanked 769 times	Hi! Long time no see. Updating cPanel is all that's needed, they included patches in the most recent build. __________________ Have you ever want to draw a windmill, and after that animate it? No problem!

March 9th, 2008, 5:30 PM	#4 (permalink)
Kayla Surpass Staff Joined in May 2003 Lives in Orlando 23,929 posts Gave thanks: 904 Thanked 769 times	Wow, filters web hosting? That's interesting. __________________ Have you ever want to draw a windmill, and after that animate it? No problem!

March 12th, 2008, 7:01 PM	#6 (permalink)
pizzicar Surpass Fan On a golden path... Joined in Feb 2006 Lives in Arizona 340 posts Gave thanks: 3 Thanked 16 times	Thanks for that - I just tried it and it came back as patched. The cool thing is I did it from my phone as I am sitting at the airport waiting for my flight. Gotta love PDA phones __________________ "Argue for your limitations, and sure enough, they are yours"

March 12th, 2008, 10:18 PM	#8 (permalink)
pizzicar Surpass Fan On a golden path... Joined in Feb 2006 Lives in Arizona 340 posts Gave thanks: 3 Thanked 16 times	That's funny. I sent my email and get on my flight. Get back to Phoenix and your last post pops up in my mobile email. Sigh....firing up Putty.... __________________ "Argue for your limitations, and sure enough, they are yours"

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search