GoFuckYourself.com - Adult Webmaster Forum - View Single Post - EMERGENCY cPanel Update for 0day exploits

AndrewX · 12-04-2012, 06:02 PM

What else is new? We believe they are largely responsible for a lot of bad web hosting experiences inflicted upon the poor website and application developers whose clients end up using them. From a systems administration perspective they make a horrible mess and in turn make the systems administrators very unhappy.

Cpanel compiles its own versions of software, the work required to apply patches to all of these custom compiled versions is immense and is usually performed by the operating system vendor (Microsoft, Red Hat etc). One of the results is a particularly poor security track record because the applications simply aren't patched as quickly or as methodically as they could/should be.

It also stores configuration and log files in non standard locations. When you're dealing with very complex operating systems which administrators spend years learning how to use, this means, staring a Linux server upon which cpanel has been installed their years of experience is not worth nearly as much as it should be. This means problems are harder to find, harder fix, slower and more costly to resolve. Which of course makes diagnostics and support very difficult and outages are longer.

Software versions are either terribly old, or so cutting edge that they breaks things. In the case of CPanel it takes an innovative approach to patch application. Normally, when an application is released, as bugs are found patches are released. Concurrently new versions of the same application are released. When a new version is released at first it wont have any bugs but over time they are found and patches are subsequently released. The cycle goes on. Normally, application vendors continue to release patches for both the new and the old versions of the applications they have released for the supported life (variable in length, but often up to 7 years) of the application. CPanel takes a different approach, rather than applying the patches to the existing versions of the applications, it simply upgrades them to the newest version in which bugs have not yet been found.
Why is this a problem? Take a hosting server which contains potentially hundreds of different websites all built by different website developers. A hosting company can't (and won't) test version upgrades on every site because it's simply not possible. They apply the updates and every time risk (or simply do) breaking many of the websites they hosting due incompatibilities in client code between application versions.

We prefer to use our low-resource and low-memory-footprint version of Virtualmin. You can practically do everything with it, and if you can not, our hosting is fully managed anyway. Drop us an email and we will do it for you.

12-04-2012, 06:02 PM
AndrewX Confirmed User Industry Role: Join Date: Jan 2004 Posts: 574	What else is new? We believe they are largely responsible for a lot of bad web hosting experiences inflicted upon the poor website and application developers whose clients end up using them. From a systems administration perspective they make a horrible mess and in turn make the systems administrators very unhappy. Cpanel compiles its own versions of software, the work required to apply patches to all of these custom compiled versions is immense and is usually performed by the operating system vendor (Microsoft, Red Hat etc). One of the results is a particularly poor security track record because the applications simply aren't patched as quickly or as methodically as they could/should be. It also stores configuration and log files in non standard locations. When you're dealing with very complex operating systems which administrators spend years learning how to use, this means, staring a Linux server upon which cpanel has been installed their years of experience is not worth nearly as much as it should be. This means problems are harder to find, harder fix, slower and more costly to resolve. Which of course makes diagnostics and support very difficult and outages are longer. Software versions are either terribly old, or so cutting edge that they breaks things. In the case of CPanel it takes an innovative approach to patch application. Normally, when an application is released, as bugs are found patches are released. Concurrently new versions of the same application are released. When a new version is released at first it wont have any bugs but over time they are found and patches are subsequently released. The cycle goes on. Normally, application vendors continue to release patches for both the new and the old versions of the applications they have released for the supported life (variable in length, but often up to 7 years) of the application. CPanel takes a different approach, rather than applying the patches to the existing versions of the applications, it simply upgrades them to the newest version in which bugs have not yet been found. Why is this a problem? Take a hosting server which contains potentially hundreds of different websites all built by different website developers. A hosting company can't (and won't) test version upgrades on every site because it's simply not possible. They apply the updates and every time risk (or simply do) breaking many of the websites they hosting due incompatibilities in client code between application versions. We prefer to use our low-resource and low-memory-footprint version of Virtualmin. You can practically do everything with it, and if you can not, our hosting is fully managed anyway. Drop us an email and we will do it for you. __________________ █ ► XenLayer - Paravirtualization Professionals since 2008 - [ICQ: 297820698] █ ► Reseller Hosting \| OpenVZ VPS \| XEN VPS \| Dedicated Servers