cPanel Issues Statement on Root Exploit

keyboardlock1(Ping! Zine Web Tech Magazine) – Popular control panel provider cPanel on Tuesday took time to address reports of a vulnerability pertaining its import / restore feature – something that was initially posted about on

In a blog post via its forums, the company emphasized that users should avoid restoring account backup packages from sources that are either untrusted or unknown.

cPanel said such restorations may have been more common practice than the it had imagined. “In addition, our warnings against doing so have been inadequate to discourage the restoration of untrusted account backup packages,” the provider explained.

Via, it was noted that performing such a task could allow an attacker to launch a symlink attack by the use of a malicious archive. Furthermore, the exploit was said to have had such a negative impact as to allow the unauthorized user to gain access to sensitive files. Vulnerable releases reportedly included cPanel & WHM versions and older.

cPanel, meanwhile, detailed a number of steps it’s taking to “reevaluate” its current system.

“We will soon release an update that adds the warnings present in the CLI restorepkg script to the WHM UI. The warnings will be expanded to explain why account backup packages from untrusted sources should not be restored using the current system,” stated the provider.

The second step included the launch of a “high priority project to develop an alternate system for handling the restoration of untrusted account backup packages.”

cPanel explained it as such: “This new system will restore a limited, safer subset of the data. The primary goal of the new restore tool will be to prefer the security of the restore over replication integrity. We will endeavor to provide as much of the current restore functionality with the new untrusted account backup package restore tool as possible. During the new transfer and restore process, you will be able to clearly select which system you want to use (trusted or untrusted) to restore an account backup package.”

And the last step? “The CLI restorepkg tool will be renamed to restore_trusted_pkg. Once development of the untrusted account backup package restore system is complete, a restore_untrusted_pkg CLI tool will be added,” noted the company.

cPanel Product Manager Kenneth Power also provided one key piece of advice for staying safe: “For the avoidance of doubt, untrusted sources means anyone you would not already trust with root access to the server.”