Netcraft: in reflecting to a previous report where HostGator sites were hacked to distribute IE exploits, HostGator responded saying that there is a bad security hole in cPanel that is currently wildly distributed.

Hackers gained access to HostGator’s servers late Thursday and began redirecting customer sites to outside web pages that exploit an unpatched VML security hole in Internet Explorer to infect web surfers with trojans. The existence of the new “0-day” exploit of cPanel leaves a large number of hosting companies vulnerable to similar attacks until they install the patch. The riusk is mitigated somewhat by the fact that it is a local exploit, meaning any attack on a host must be launched from an existing account with cPanel access.

That sounds pretty bad to me, considering cPanel is pretty much the defacto on Linux shared hosting. And it is a root exploit, i.e. the hacker gets complete control of the hosted PC. Combining with the recent Microsoft IE VML stack overflow exploits, the black hats don’t just take over the server boxes, they are using owned server boxes to take over end-user desktop machines as well.

Yes. It is a local exploit, which requires an existing cPanel account. That is not difficult to get either — there are plenty of hosts giving you $3.95/month plans running on top of cPanel.

Brent from HostGator has written the full detail on how this exploit was resolved. Great work guys! However, it does sound like patching a leaking boat with bandaids. See what Matt Heaton of BlueHost said about cPanel security on Slashdot:

Don’t blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!! We have been complaining about this for at least 2 years with little or no help for the issue. We have at least 20 bandaids for Cpanels scripts to fix problems that they refuse to deal with in their “stable” and “current” versions…

If there is so much insecurity surrounding cPanel, why then are the hosting companies using it? Lazy users who don’t want to learn another control panel? Apparently it is likely the case from Heaton’s follow up comments.

Personally I hated cPanel. public_html in your home directory? That’s so 90′s! The user interface design in cPanel is so unintuitive that it is probably as much an after thought as its security design. I still need to put up with this idiotic control panel on one of my shared hosting account, but if I have a choice, I’ll steer myself way away from it.

But security is far more than user preferences — it poses danger to both the host and its users. Moreover in the case of cPanel, a proprietary control panel that provides no source code to its end users, no one can really “fix it” even if they know the threat exists. If many hosting companies are happy to build their platform on top of an open source operating system (Linux) and a suite of open source application stacks (Apache, PHP, Postfix, Courier-IMAP, MySQL, etc), why are they rely on close sourced control panel software packages that do not have “thousands of eyeballs” checking and fixing bugs?

Judging from the license fee paid from all hosting companies employing cPanel, I don’t see why they can’t all pour them into an open source webhosting panel foundation, hire half a dozen developers, and/or sponsor one of those open source control projects?

Discussed Elsewhere