• Welcome to Web Hosting Community Forum for Webmasters - Web hosting Forum.
 
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Kailash

#31
Microsoft DNS servers are affected by critical security vulnerability. There is remote code execution vulnerability exists in all DNS servers used in Windows Server 2008 and higher operating system. Microsoft has released an update for Windows Server 2012, Windows Server 2012 R2, Windows server 2016 and Windows server 2019. They have released an update for end of life operating system Window Server 2008 R2 but it looks like it is available to those users who have opted their paid addon to continue use Windows Server 2008 R2.

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

For more information, refer CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability.

- Kailash
#32
Hi,

If you have recently applied .Net updates on your Microsoft Windows server, it may break "Web sites" section in your SolidCP. SolidCP has yet not releases official update but there is a work around to fix this issue. It requires to edit your portal's web.config file to apply workaround. For more details, you can refer our KB on SolidCP Error in Web Sites section after Windows updates.

- Kailash
#33
Hi,

Are you really looking for their reviews? You are already using their service. You can check your own post here:

https://www.webhostingdiscussion.net/forums/index.php/topic,34051.msg22337.html#msg22337
#34
Web Hosting / Re: Best shared account in Europe
December 31, 2019, 06:07:15 PM
You can try Accuweb Hosting shared hosting. They have Linux shared hosting from UK location.

- Kailash
#35
Vulnerabilities / SMF 2.0.17 Released
December 31, 2019, 06:03:12 PM
Simple Machines has released a new patch to the 2.0.x line of SMF, bringing our latest release version to 2.0.17.

We consider this patch to be of crucial importance, as it includes an important fix for a critical bug that was introduced in SMF 2.0.16.

  • Fixes a bug that could cause SMF 2.0.16 to start consuming significant amounts of CPU-resources when the RSS function was used.
  • Eliminates some deprecated function warnings when using SSI.php on PHP 7.2+.


Please see the changelog for more information.

Since SMF 2.0.17 is essentially what 2.0.16 was intended to be and 2.0.16 was released only a few days ago, we are including a (slightly updated) version of the SMF 2.0.16 announcement for your convenience:

SMF 2.0.16 contained important security and bug fixes, as well as support for the European Union's General Data Protection Regulation (GDPR) requirements. We recommend updating as soon as possible.

Notable changes in 2.0.16 & 2.0.17

  • Support for privacy policy in addition to registration agreement
  • GDPR Compliance toggle in Core Features
   Enabling this configures multiple settings and new features to comply with the GDPR, including:
  • Requiring members to accept the current privacy policy in order to use the forum
  • Asking during registration whether the new member wants to receive announcements via email
  • Enabling token-based unsubscribe links in emails so members can unsubscribe without logging in
  • Allowing members to download a copy of their profile information
  • Adjusting the behaviour of a number of other features in minor ways as necessary
  • PHP 7.2 support
  • Improved security hashes for the image proxy
  • Improved security for the login cookie
  • Assorted other security improvements
  • Various improvements for both the installer and upgrader
#36
Vulnerabilities / SMF 2.0.16 Released
December 31, 2019, 05:59:46 PM
Simple Machines has released a new patch to the 2.0.x line of SMF, bringing our latest release version to 2.0.16.

We consider this patch to be of crucial importance, as it includes important security and bug fixes, as well as support for the European Union's General Data Protection Regulation (GDPR) requirements. We recommend updating as soon as possible.

Notable changes in 2.0.16

  • Support for privacy policy in addition to registration agreement
  • GDPR Compliance toggle in Core Features
   Enabling this configures multiple settings and new features to comply with the GDPR, including:
  • Requiring members to accept the current privacy policy in order to use the forum
  • Asking during registration whether the new member wants to receive announcements via email
  • Enabling token-based unsubscribe links in emails so members can unsubscribe without logging in
  • Allowing members to download a copy of their profile information
  • Adjusting the behaviour of a number of other features in minor ways as necessary
  • PHP 7.2 support
  • Improved security hashes for the image proxy
  • Improved security for the login cookie
  • Assorted other security improvements
  • Various improvements for both the installer and upgrader

Please see the changelog for more information.


IMPORTANT NOTES:

  • If you are using the GDPR Helper mod, you should follow these steps:
  • Back up your existing privacy policy text to a file somewhere
  • Update the GDPR Helper mod to its latest version
  • Uninstall the GDPR Helper mod
  • Install the SMF 2.0.16 patch

All users, including the admin, will need to log in again after 2.0.16 has been installed.

How to update to 2.0.16

If you are running version 2.0.15, you can update your forum to the latest version by using the package manager. You should see the update notification in the admin panel notifications and in the package manager, which will allow you to download and install the patch seamlessly.  If you do not see the notification about the patch, please run the scheduled task "Fetch Simple Machines files" from the Scheduled Tasks page (Admin > Maintenance > Scheduled Tasks).

If you use older versions of SMF, you can upgrade directly to 2.0.15 from whichever version you are currently using by using the "Large Upgrade" package from the Download page. Be aware that using this upgrade method will require you to reinstall any customizations that you have added to your forum, so if you are running a version of the 2.0.x series, it is recommended that you apply the successive patches instead of using the Large Upgrade.

If you are having problems downloading the patch from the admin panel, you can download the patch package from the Package Manager Updates page and install it via the Package Manager, as you would any other mod package.

Please refer to the Online Manual for more details about patching and upgrading.
#37
After upgrade to CURL version 7.67.0, you may receive the following error:

CURL Error: 56 - OpenSSL SSL_read: Success

Usually WHMCS and Enom users are reporting the above error. If you are using cPanel, you can downgrade the CURL version to fix this. You can execute following command on a cPanel server to downgrade the version:

yum downgrade ea-libcurl ea-libcurl-devel

Make sure that you restart Apache service. Also, if you are using litespeed, Apache-fpm, nginx etc., make sure you restart those services as well.

Regards,
Kailash
#38
Vulnerabilities / cPanel TSR-2019-0006 Full Disclosure
November 20, 2019, 03:37:30 PM
SEC-499

Summary

Authentication bypass due to variations in webmail username handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The process used to normalize and validate webmail account names was not consistent across different authentication subsystems. Because of these discrepancies, authenticated cPanel users could gain access to other cPanel and Webmail accounts on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43



SEC-508


Summary

Account suspension bypass via virtual mail accounts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The authentication logic for some subsystems relied entirely on data stored in the cPanel account's home directory for the enforcement of account suspensions. A cPanel user could take advantage of this behavior to retain access to virtual email accounts after the user's system account was suspended.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43



SEC-516


Summary

Authentication bypass due to faulty password file format parsing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The functions in cPanel & WHM that handled password and shadow file lookups did not enforce the constraints of this file format. This behavior could be misused by authenticated attackers to gain access to other accounts on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43



SEC-520


Summary

Self-XSS due to faulty JSON string escaping.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The escaping method used for some JSON string interpolation in cPanel & WHM interface templates did not escape all possible character combinations unambiguously.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43



SEC-525

Summary

Cpanel::Rand::Get can produce predictable output.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

When the /dev/urandom device is not initialized, Cpanel::Rand::Get initializes Perl's random number generation with data from the server's environment. This data could be predictable and when used as a seed, could cause predictable random numbers to be generated.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43



SEC-531


Summary

MySQL dump streaming allowed reading all databases.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

The MySQL database dump streaming functionality passed database names to the mysqldump binary in an ambiguous fashion. An authenticated attacker could misuse this behavior to read all databases on the system.

Credits

This issue was discovered by the cPanel Security Team.



Solution



This issue is resolved in the following builds:
11.84.0.10
11.82.0.18



SEC-532


Summary

Root chown on arbitrary paths in cPanel log processing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

When processing logs to calculate bandwidth, symlinks to the processed logs are created in the user's home directory. An attacker can intercept this process to cause the ownership of an arbitrary file to be changed to the attacking user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43



SEC-533


Summary

Stored XSS Vulnerability in WHM Backup Restoration.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Error messages displayed in the WHM Backup Restoration interface were not adequately encoded. Due to this, it was possible for an attacker to inject arbitrary code into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43



SEC-534


Summary

WebDAV authentication bypass due to faulty connection sharing logic.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Client authentication was not validated correctly when multiple WebDAV clients connected to the cpdavd daemon through a proxy server. Subsequent requests in a keepalive connection could inherit the authentication of prior requests.

Credits

This issue was discovered by Martin Rouf.

Solution

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43


For the PGP-signed message, please see: https://news.cpanel.com/wp-content/u...ure.signed.txt.
#39
Try redirecting using .htaccess rewrite rule:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
#40
First, you will have to make sure that your script has execute permissions and then set following cron:

0 * * * * /home/<your_user>/public_html/yourscript.sh

Adjust time as per your need.
#41
cPanel/WHM / Re: Magento Cpanel Cron Job not working
October 31, 2019, 11:46:21 AM
If it is not sending emails, it is possible that there is misconfiguration at server  level. If you are using authentication to send emails, your provider should be able to check SMTP logs.
#42
If you have SSL for your website, you can directly change your site and blog URLs to HTTPS and if it requires, you can use force SSL related plugins for your website.
#43
WordPress Support / Re: WordPress HTTPS Error
October 31, 2019, 11:42:07 AM
It looks like you haven't purchased SSL certificate for your website. If you have purchased it, it is possible that it is not installed properly. You should talk to your hosting provider.
#44
Do you have any image resize plugins? Try deactivating WordPress plugin one by one until you find culprit plugin.
#45


Please make sure that you have taken following steps correctly:


  • If you are accessing your install using domain name make sure that your website is pointing to correct server.
  • If there is any contents, remove installation from Softaculous and remove other contents from the same directory and attempt to install again.
  • Make sure that you are accessing the URL correctly. If you have installed in subfolder, subdomain, you will have to use the exact URL.

If it still does not work, you will have to contact your web hosting provider.
#46


It seems that you have still not put your application live from your Facebook account. Follow the below steps to put it live:

[1] From your Facebook developers URL, go to My Apps and click on your App

[2] In Settings -> Basic -> Contact Email -> Enter your email address and save it

[3] Go to Status and Review Tab and set following option to "Yes":

Do you want to make this app and all its live features available to the general public?
#47
cPanel/WHM / Re: MongoDB quota for cPanel user
October 31, 2019, 11:32:23 AM
Officially MongoDB support is still not included in cPanel so I doubt you can set quota for MongoDB from cPanel/WHM. There was a feature request submitted in official cPanel website but this feature is still not included in latest version as of now. Also, I am not able to locate any plugin for cPanel which can help you in this matter
#48
Please check the following steps:


  • Make sure that mysql service is up and running.
  • Make sure that roundcube database is existed. You can check it from WHM -> phpMyAdmin. There should be a database named roundcube.
  • If roundcube database is existed, make sure that tables are not corupted. If they are corrupted, you may need to restore it from backup

#49
Your "where" clause will return all rows where name does not match username AND where name is not null.

If you want to include NULL results as well, you can try following where clause:

    where name <> 'username' or name is null

If you are looking for strings that do not contain the word "username" as a substring, then like can be used:

    where name not like '%username%'

- Kailash
#50
You can use findstr command to search specific string via command prompt:

To search only one word:

findstr /s "hello" *.*

If there is a space in the search word, you have to use /C option as follow:

findstr /s /C:"hello world" *.*

Hope this will be helpful!
#51
Passing an argument in a batch file is easy. For example, if your batch file name is myfile.bat and you want to pass some argument, you can execute following command:

myfile myargument

The value myargument will be stored in %1 and you can store in variable as follow:

set arg1=%1
#52
cPanel/WHM / Re: Uninstall cPanel from server
October 30, 2019, 05:19:17 PM
When we install cPanel, it also makes changes in default operating system files as well. Hence there is no way you can uninstall it. You should rebuild your server or migrate it to other server.
#53
Generally it is not recommended to uninstall control panel as there may be many dependent services on it. For Plesk, you can refer the following URL:

https://support.plesk.com/hc/en-us/articles/4410908355730-How-to-uninstall-Plesk

Note: Plesk installs many components, including provided by 3rd-party vendors and not all of them may be removed without leftovers.

The recommended approach is to backup the necessary information and reinstall the OS to avoid unexpected behavior after Plesk components removal.
#54
By default Windows command prompt will be closed when you close your program which was started using batch file. To close Windows command prompt, you can use "start" command to start any program as follow:

start "" path-to-your-program

The above command will close Windows command prompt once your program is started.
#55
Solution is mentioned in the description. You will need to convert your second folder as application folder (virtual directory) from IIS.
#56
This is due to max_connect_errors limit. By default this limit is set to 10. That means, if there is more than 10 error from your system, your host will be blocked to access MySQL. You can either check why there is failed login or errors or you can raise the limit for max_connect_errors variable.

To increase the value, you just need to add/edit max_connect_errors variables in your MySQL configuration file and then restart MySQL service. You can set higher limit as per your need.
#57


You can extract particular file/folder from your .tar.gz file as follow:

tar -zxvf your-file.tar.gz filename

tar -zxvf your-file.tar.gz directory-name


Please note that you have to specify exact path to extract file/directory.
#58
Linux / Re: How to change Linux hostname permanently
October 30, 2019, 05:03:29 PM
hostname command will not change your server's hostname permanently. If you have latest Linux operating system (systemD based OS), you can do it using hostnamectl command. For complete details, you can refer our following blog post:

https://www.webhostingdiscussion.net/blog/how-to-set-or-change-hostname-in-linux/
#59
Web Hosting / Re: Access website using IPv6 IP address
October 30, 2019, 05:01:16 PM
For IPv6, you will have to specify [ and ] in the URL as follow:

http://[2607:5300:120:11c:120:11c::]/

For more details, you can refer our following blog post:

https://www.webhostingdiscussion.net/blog/how-to-access-ipv6-url-from-browser/
#60


Since the server doesn't have any control panel, you have only manual migration option. You can follow the below steps to migrate your websites:


  • Add a website to the new server (create home directory, virtualhost entry etc.)
  • Generate full cPanel backup from the old server and transfer entire .tar.gz file to the new server
  • Extract .tar.gz file. This should contain your web contents as well as MySQL database.
  • Move web contents to appropriate directory and restore mysql database.