Security hole discovered in SysCP 1.2.15

Friday, February 2. 2007

Posted by Flo in Announcements, SysCP 1.2

Comments (0)
Trackback (1)

Hello all of you out there,

we are very sorry, but there is a security hole inside the latest SysCP version (1.2.15). Any customer could run malicious code as root. This vulnerability is only exploitable in SysCP 1.2.15, no other version is affected.
Since this is not the best thing, we are releasing a patch together with this announcement ;) It's only a tiny patch, since SysCP itself brings already all the code to prevent such code-injections. The problem: in this special case it accidentally wasn't used.
Many thanks go to Daniel Schulte, who found this vulnerability!

You can fix your installation by replacing "exec" with "safe_exec" in scripts/cron_tasks.php on line 255 or applying the patch provided on our homepage (http://files.syscp.org/misc/syscp-1.2.15s.patch) by executing "patch -p0 < syscp-1.2.15s.patch".

Thank you for your attention,
Flo and the SysCP-team

Trackbacks

Trackback specific URI for this entry

First security hole discovered in SysCP
Some days ago, a local-root hole was found in SysCP. A patch was also released, so it\'s easy to fix your installation.rnrnHowever, maybe th

Weblog: die-welt.net
Tracked: Feb 06, 08:58

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. E-Mail addresses will not be displayed and will only be used for E-Mail notifications You can use [geshi lang=lang_name [,ln={y\|n}]][/lang] tags to embed source code snippets
	Remember Information? Subscribe to this entry