Buy
Schedule a Demo
Blog
Community Stats
1 day 7 days 30 days Max. View More
Top Posters
    There is no record available at this moment
Most Active Threads
    There is no record available at this moment
Top Rated Posts
    There is no record available at this moment
2007/02/08 16:05:46
Dhosting.co.uk

HC7 Build 10 Security Bug

Hello all, can someone please verify this

1. Login to your control panel as a webadmin or reseller
2. Read the info below about changing address and then paste the following in your browsers navigation bar and click go
http://www.dcontrol.net/browsing/SubBrowsing.aspx?PF=1&WSID=592&OSType=Windows&ServerIP=0.0.0.0&FormName=frmAddPrivateFolder&FieldName=txtPhysicalPath&FieldValue=c%3a&SkipFiles=1&FromAddPrivateFolder=1

- Replace http://www.dcontrol.net with your control panels url and port if not port 80
- Replace WSID=592 with a valid WebsiteID, this could be guessed i.e. 1, 2. 3, 10 etc etc it can also be found in the log folder of any domain as it specifies the website ID in the folder name and the log file name!

In the security settings for our servers on all partitions its set to only allow Administrators and SYSTEM, as hc executes as an administrator someone can view your entire server!

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
33 comments Leave a comment
HC Team
We have locally replicated this issue and forwarded to the concerned dept. Thanks for informing us.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/03/08 07:58:37
Dhosting.co.uk
Well my question on this one is HC how and why has this happened?

A similar issue was reported in HC 6.1 over a year ago surely this should have been tested and sorted out in v7????

It looks to me like the same mistakes are being made.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/03/08 08:12:23
Dhosting.co.uk
11 Day's no fix what's going on HC?

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/13 04:35:44
HC Team
This issue has already been fixed and you will get its fix in build 11.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/08/13 04:53:45
nitaish
When does HC plan to rollout the new build? It has become kinda risky working with HC 7 nowadays. Also my suggestion is to make this topic viewable only by the members and not by general public as this exposes the vulnerability of the control panel and anybody can misuse this to create problem in the server.



An ICANN Accredited Domain name Registrar - OwnRegistrar.com
| Shared Hosting | Reseller hosting | Dedicated server | - QualiSpace.com
Premium AntiSpam / AntiVirus gateway - SpamTermino.com
Signup as a reseller and get domains only for $6.49
2007/08/16 06:20:45
Dhosting.co.uk
This really isn't good enough HC

Build 10 Release Date : 11/07/2007
Build 10 Security Bug Reported : 02/08/2007
Build 11 Release : ???

So its been 38 days if my math’s is correct since the last release, 16 days since the security bug was been reported.

Is it just me or is the build 11 update taking longer than normal, what’s the hold up?

I'm really loosing the will to use HC anymore; you still haven't explained why this bug is in v7 when the same bug was in v6.1 nearly 2 years ago. Mistakes happen but you don’t make the same mistake twice in my view.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/18 04:14:43
Dhosting.co.uk
I've just had a chat with hc support.

I'm not impressed :(

No date for build 11 still

I was told a certain feature for the linux part of hc will be added. I'm not sure if I’m the only one with this view but if you want a linux control panel you go and buy cpanel or directadmin. HC doesn't have the knowledge to make it secure enough and the implementation they use isn’t secure at all.

So it seems the build 11 delay is because of a new feature for Linux.

Would it not be better to release an update that fixes this security issue and then release a full build 11 update when it’s ready?

I also got told not to post security bugs in the hc forum and they would have preferred if I emailed them the info rather than posting it public, which makes me think how many other bugs there are which haven’t been reported to the public.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/18 04:32:44
Albert38
Well it isn't a security bug but I reported some time ago that in Build 10 there are verry strange calculations in the Bandwith and Diskusage e-mail reports. I have tested this issue on 2 servers with same result strange reports usage of more than 1TB on an account with 3GB amount set and an availibe left of more than 1TB. My Math is well enough to know this isn't right.

I also noticed something else. There is a 50% discount on HC7 last year there was a same discount on HC6 Maybe this is telling us there is a HC8 comming up. (Who knows may tell)
2007/08/18 09:57:00
Dhosting.co.uk
I disabled the email reports so cant verify that

All though i've noticed hc shows different bandwidth and disk stats compared to whats in the database.

i.e. i can calculate how much a user has used in the past month directly from the hc db which is 100% correct but in the hc itself its not correct. Its like its not calculating it correctly, slightly odd but not a major problem.

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/18 10:53:45
Albert38
I don't see numbers as mentioned below as a major problem but it is a problem and you can't send email with this stupid calculations to your custommers. It doesn't look very profesional.
quote:

Plan Name Allocated Consumed Remaining
3 site 50GB p/m [Jul 04, 2007] 48,83 GB 65142,85 GB 423138,40 GB
Domain Name Consumed
domain1.com 19629,52 GB
domain2.com 45407,07 GB
domain3.com 83,35 GB
domain4.com 1,62 GB
domain5.com 2,09 GB
domain6.com 465 MB
domain7.com 5,77 GB
domain8.com 848 MB
domain9.com 5,70 GB
domain10.com 6,42 GB
domain11.com 5 MB

Total 48,83 GB 65142,85 GB 4231,38 GB

2007/08/18 14:35:26
Dhosting.co.uk
I dont have that issue.

All though when you login as reseller, click reports, click bandwidth

Double click first level, then double click a user, then click view 6 months next to one of the domains, click the back button in IE, then click six months for another domain i get the graph for the same domain.



__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/18 16:38:43
HC Team
quote:
Originally posted by Dhosting.co.uk
[br]I've just had a chat with hc support.

I'm not impressed :(

No date for build 11 still

I was told a certain feature for the linux part of hc will be added. I'm not sure if I’m the only one with this view but if you want a linux control panel you go and buy cpanel or directadmin. HC doesn't have the knowledge to make it secure enough and the implementation they use isn’t secure at all.

So it seems the build 11 delay is because of a new feature for Linux.

Would it not be better to release an update that fixes this security issue and then release a full build 11 update when it’s ready?

I also got told not to post security bugs in the hc forum and they would have preferred if I emailed them the info rather than posting it public, which makes me think how many other bugs there are which haven’t been reported to the public.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.


We understand your concern thats why we are trying our best to release build 11 ASAP. Actually code is opened for some other issues therefore its taking sometime. Hopefully you will get it in next week. Thanks for your patience.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/08/20 08:34:41
Dhosting.co.uk
Hang on "Actually code is opened for some other issues" do you mean security issues?

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/20 08:37:10
Dhosting.co.uk
I reckon this update isn't going to come out until 11th september 2 months after build 10 release :)

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/23 04:07:21
Albert38
What is the base fore youre conclusion? Dhosting
2007/08/23 05:20:32
Dhosting.co.uk
A bit of logic and guess work.

I've not heard hc say it’s in beta yet i.e. not in the testing phase and the previous post from hc makes out theirs another code problem to sort out.

I think their is only one hc developer so if thats correct its a lot of work for one person, i could be wrong but from past experience etc.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/23 05:23:08
Albert38
I hope you aren't right. We eill have to wait paciently for it.
2007/08/23 06:02:26
HC Team
These are all just your speculations. Don't you worry build will be out before 9/11. :) As I told you before this issue is already fixed and we can not afford to release a small patch because code is opened to implement some new features. We need sincere cooperation from your people. Thanks

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/08/23 07:20:50
Dhosting.co.uk
I dont find the joke funny hc.

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/23 07:22:20
nitaish
While we still await the release of the latest build of HC 7 which seems to be lost somewhere, may I ask HC when are they planning to come out with the backup/restore service which was promised by them in HC7? It is 9 months since the HC7 was rolled out and we are still waiting for the backup/restore facility. I guess most of the people opted for HC7 only because of the backup/restore feature. Will HC throw some light on this?


An ICANN Accredited Domain name Registrar - OwnRegistrar.com
| Shared Hosting | Reseller hosting | Dedicated server | - QualiSpace.com
Premium AntiSpam / AntiVirus gateway - SpamTermino.com
Signup as a reseller and get domains only for $6.49
2007/08/24 00:29:45
Dhosting.co.uk
I think my estimate on the backup / restore was 12 months after release so i reckon December :)

All though unless its special we will not be using it.

I have scripted our backup and restore, some work still to be done but it works far better than RBX did.

I use winrar to archive the backup, which holds the NTFS Security Permissions so when you restore you get all the permissions correct. We use Active Directory to manager users so we do not need to back users / passwords up but looking at the hc db it wouldn’t be to hard to do a mass reset and create.

Currently my scripts backup
IIS Metabase
DNS Zones & Registry
Users Data
MSSQL Databases & Users
MySQL Databases & Users

All are held for 7 days and automatically deleted after they are over 7 day's old.

Its not perfect but work in progress!

We purchased RBX in May 2006 now I doubt were covered for upgrades as its now over a year since we purchased.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/24 02:08:26
Dhosting.co.uk
Still no release date, could it be a 2 month wait between updates oooooooh who knows :)

On a related note firefox users cannot use the payment form in hc to pay their bill, hc have been made aware along with several other firefox issues.



__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/08/29 07:07:28
HC Team
quote:
Originally posted by Dhosting.co.uk
[br]Still no release date, could it be a 2 month wait between updates oooooooh who knows :)

On a related note firefox users cannot use the payment form in hc to pay their bill, hc have been made aware along with several other firefox issues.



__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.


We really understand your concern. Actually we want to release 'Backup Recovery System' with build 11 which has been delayed a bit and now it will be released by the end of this month.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/04/09 03:06:47
Dhosting.co.uk
Your missing the point 100%

A security bug has been reported
You have verified the bug

Your playing with recovery when a security bug needs fixing.

It seems hc aren't to bothered about it????

Think its about time an external security company was brought in to put hc through its passes properly, I’m tempted to go pay someone to do it.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/04/09 14:40:13
nitaish
quote:
Originally posted by Dhosting.co.uk
[br]Your missing the point 100%

A security bug has been reported
You have verified the bug

Your playing with recovery when a security bug needs fixing.

It seems hc aren't to bothered about it????

Think its about time an external security company was brought in to put hc through its passes properly, I’m tempted to go pay someone to do it.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.


I agree with you totally. HC does not seem to be knowing how to set priorities. No doubt, Backup and recovery system is necessary, but they should think of releasing some interim patch to resolve the security issue which has been found and is now well known. I hope HC understands.



An ICANN Accredited Domain name Registrar - OwnRegistrar.com
| Shared Hosting | Reseller hosting | Dedicated server | - QualiSpace.com
Premium AntiSpam / AntiVirus gateway - SpamTermino.com
Signup as a reseller and get domains only for $6.49
2007/05/09 02:18:53
nitaish
Is HC listening? Or have they dozed off?

An ICANN Accredited Domain name Registrar - OwnRegistrar.com
| Shared Hosting | Reseller hosting | Dedicated server | - QualiSpace.com
Premium AntiSpam / AntiVirus gateway - SpamTermino.com
Signup as a reseller and get domains only for $6.49
2007/07/09 00:28:06
HC Team
quote:
Originally posted by nitaish
[br]
quote:
Originally posted by Dhosting.co.uk
[br]Your missing the point 100%

A security bug has been reported
You have verified the bug

Your playing with recovery when a security bug needs fixing.

It seems hc aren't to bothered about it????

Think its about time an external security company was brought in to put hc through its passes properly, I’m tempted to go pay someone to do it.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.


I agree with you totally. HC does not seem to be knowing how to set priorities. No doubt, Backup and recovery system is necessary, but they should think of releasing some interim patch to resolve the security issue which has been found and is now well known. I hope HC understands.



An ICANN Accredited Domain name Registrar - OwnRegistrar.com
| Shared Hosting | Reseller hosting | Dedicated server | - QualiSpace.com
Premium AntiSpam / AntiVirus gateway - SpamTermino.com
Signup as a reseller and get domains only for $6.49


Issue was fixed after the 2nd day of its reporting but I have already explained as code is opened so its not possible for us to release any interim patch. Please try to understand.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/07/09 03:25:51
nitaish
Hey Guys!!!!

Did you hear this? Comments plz.

An ICANN Accredited Domain name Registrar - OwnRegistrar.com
| Shared Hosting | Reseller hosting | Dedicated server | - QualiSpace.com
Premium AntiSpam / AntiVirus gateway - SpamTermino.com
Signup as a reseller and get domains only for $6.49
2007/07/09 05:24:17
crnunez
Hi,
How long time we will wait for the next release?? Any serious and respondable company must produce a patch for these bugs. Its really urgent.

The free software is more fast with any bugs (new release in few days), that this support give by HC... :(

Regards.

R.N.
2007/09/09 13:45:20
twizted
quote:
Originally posted by Albert38
[br]What is the base fore youre conclusion? Dhosting


I guess he didn't need a base, it is Sept 14!
2007/09/14 07:36:47
twizted
Don't you worry build will be out before 9/11. :)
________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/09/14 07:39:27
Dhosting.co.uk
Ah well, at this very moment i'm typing my credit card info into H_E_L_M's billing system.

My customers aren't happy with their invoices, example today customers says

Login Name : username
Amount Due : 180.00
Current Balance : 30.00 GBP

£180 i reckon is the total they have ever paid but i'm not sure, but it is in red etc, where as the balance £30.00 is correct as its in red and that means they owe that amount etc.

The billing system ****.


__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.
2007/09/14 07:44:08
HC Team
quote:
Originally posted by twizted
[br]Don't you worry build will be out before 9/11. :)
________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419



We are sorry for the delay. As I announced earlier Build 11 will be out by the end of september.

________________________
HC Support Team
support@hostingcontroller.com
http://hostingcontroller.com
+1-213-341-1419
2007/09/15 06:50:23

Comments are closed.