HC7 Build 10 Security Bug
Hello all, can someone please verify this 1. Login to your control panel as a webadmin or reseller 2. Read the info below about changing address and then paste the following in your browsers navigation bar and click go http://www.dcontrol.net/browsing/SubBrowsing.aspx?PF=1&WSID=592&OSType=Windows&ServerIP=0.0.0.0&FormName=frmAddPrivateFolder&FieldName=txtPhysicalPath&FieldValue=c%3a&SkipFiles=1&FromAddPrivateFolder=1 - Replace http://www.dcontrol.net with your control panels url and port if not port 80 - Replace WSID=592 with a valid WebsiteID, this could be guessed i.e. 1, 2. 3, 10 etc etc it can also be found in the log folder of any domain as it specifies the website ID in the folder name and the log file name! In the security settings for our servers on all partitions its set to only allow Administrators and SYSTEM, as hc executes as an administrator someone can view your entire server! __________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/03/08 07:58:37
(permalink)
We have locally replicated this issue and forwarded to the concerned dept. Thanks for informing us.
________________________ HC Support Team support@hostingcontroller.com http://hostingcontroller.com +1-213-341-1419
|
RE: HC7 Build 10 Security Bug
2007/03/08 08:12:23
(permalink)
Well my question on this one is HC how and why has this happened?
A similar issue was reported in HC 6.1 over a year ago surely this should have been tested and sorted out in v7????
It looks to me like the same mistakes are being made.
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/08/13 04:35:44
(permalink)
11 Day's no fix what's going on HC?
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/08/13 04:53:45
(permalink)
This issue has already been fixed and you will get its fix in build 11.
________________________ HC Support Team support@hostingcontroller.com http://hostingcontroller.com +1-213-341-1419
|
RE: HC7 Build 10 Security Bug
2007/08/16 06:20:45
(permalink)
|
RE: HC7 Build 10 Security Bug
2007/08/18 04:14:43
(permalink)
This really isn't good enough HC
Build 10 Release Date : 11/07/2007 Build 10 Security Bug Reported : 02/08/2007 Build 11 Release : ???
So its been 38 days if my math’s is correct since the last release, 16 days since the security bug was been reported.
Is it just me or is the build 11 update taking longer than normal, what’s the hold up?
I'm really loosing the will to use HC anymore; you still haven't explained why this bug is in v7 when the same bug was in v6.1 nearly 2 years ago. Mistakes happen but you don’t make the same mistake twice in my view.
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/08/18 04:32:44
(permalink)
I've just had a chat with hc support.
I'm not impressed :(
No date for build 11 still
I was told a certain feature for the linux part of hc will be added. I'm not sure if I’m the only one with this view but if you want a linux control panel you go and buy cpanel or directadmin. HC doesn't have the knowledge to make it secure enough and the implementation they use isn’t secure at all.
So it seems the build 11 delay is because of a new feature for Linux.
Would it not be better to release an update that fixes this security issue and then release a full build 11 update when it’s ready?
I also got told not to post security bugs in the hc forum and they would have preferred if I emailed them the info rather than posting it public, which makes me think how many other bugs there are which haven’t been reported to the public.
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/08/18 09:57:00
(permalink)
Well it isn't a security bug but I reported some time ago that in Build 10 there are verry strange calculations in the Bandwith and Diskusage e-mail reports. I have tested this issue on 2 servers with same result strange reports usage of more than 1TB on an account with 3GB amount set and an availibe left of more than 1TB. My Math is well enough to know this isn't right.
I also noticed something else. There is a 50% discount on HC7 last year there was a same discount on HC6 Maybe this is telling us there is a HC8 comming up. (Who knows may tell)
|
RE: HC7 Build 10 Security Bug
2007/08/18 10:53:45
(permalink)
I disabled the email reports so cant verify that
All though i've noticed hc shows different bandwidth and disk stats compared to whats in the database.
i.e. i can calculate how much a user has used in the past month directly from the hc db which is 100% correct but in the hc itself its not correct. Its like its not calculating it correctly, slightly odd but not a major problem.
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/08/18 14:35:26
(permalink)
I don't see numbers as mentioned below as a major problem but it is a problem and you can't send email with this stupid calculations to your custommers. It doesn't look very profesional. quote:
Plan Name Allocated Consumed Remaining 3 site 50GB p/m [Jul 04, 2007] 48,83 GB 65142,85 GB 423138,40 GB Domain Name Consumed domain1.com 19629,52 GB domain2.com 45407,07 GB domain3.com 83,35 GB domain4.com 1,62 GB domain5.com 2,09 GB domain6.com 465 MB domain7.com 5,77 GB domain8.com 848 MB domain9.com 5,70 GB domain10.com 6,42 GB domain11.com 5 MB Total 48,83 GB 65142,85 GB 4231,38 GB
|
RE: HC7 Build 10 Security Bug
2007/08/18 16:38:43
(permalink)
I dont have that issue.
All though when you login as reseller, click reports, click bandwidth
Double click first level, then double click a user, then click view 6 months next to one of the domains, click the back button in IE, then click six months for another domain i get the graph for the same domain.
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/08/20 08:34:41
(permalink)
quote: Originally posted by Dhosting.co.uk [br]I've just had a chat with hc support.
I'm not impressed :(
No date for build 11 still
I was told a certain feature for the linux part of hc will be added. I'm not sure if I’m the only one with this view but if you want a linux control panel you go and buy cpanel or directadmin. HC doesn't have the knowledge to make it secure enough and the implementation they use isn’t secure at all.
So it seems the build 11 delay is because of a new feature for Linux.
Would it not be better to release an update that fixes this security issue and then release a full build 11 update when it’s ready?
I also got told not to post security bugs in the hc forum and they would have preferred if I emailed them the info rather than posting it public, which makes me think how many other bugs there are which haven’t been reported to the public.
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
We understand your concern thats why we are trying our best to release build 11 ASAP. Actually code is opened for some other issues therefore its taking sometime. Hopefully you will get it in next week. Thanks for your patience. ________________________ HC Support Team support@hostingcontroller.com http://hostingcontroller.com +1-213-341-1419
|
RE: HC7 Build 10 Security Bug
2007/08/20 08:37:10
(permalink)
Hang on "Actually code is opened for some other issues" do you mean security issues?
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|
RE: HC7 Build 10 Security Bug
2007/08/23 04:07:21
(permalink)
I reckon this update isn't going to come out until 11th september 2 months after build 10 release :)
__________________ Chris Daley Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423 www.Dhosting.co.uk - Web Hosting, Domain Registration www.Dwebs.ltd.uk - Web Design & Other Services My views are my own and not those of my company.
|