Session handling, auth, crypto, password hashing etc - all these are the exact areas where you should be the most allergic to rolling your own. Not because you're not smart enough, but because a simple bug like sanitizing in the wrong place and the failure is catastrophic like in this instance.
Use boring, proven, widely-audited solutions. Save your creativity for the actual problem you're solving.
cPanel is written in perl.
In fact PHP is only a few months older than it.
I've been coding for more than 40 years, and I probably only took security seriously, in the last 25 or so.
In fact, in Ye Days of Yore, we often deliberately coded in unsecured stuff, for convenience.
Look at some of the old Apple Systems (pre-OS X), to see some stuff that would make secops people defecate masonry.
Sometimes it makes sense to roll your own and the cost of a dependency isn't worth it. This can be especially true when you need to accommodate many bespoke environments and you end up needing to make little accomodations here and there. Can create a very unpleasant situation when you don't own the code.
I'm not a cryptographer but I've spent a significant portion of my career focusing on the security-side of things and I've rolled my own auth quite a few times on very public projects you can access today and I've never had any significant findings through repeated pentests.
But that's just the thing: I did it the right way, and there is a right way to roll your own stuff, to forge it in a way it comes out suitable. Is it bug free? Probably not, but I feel significantly better about it having thoroughly tested it by myself, my colleagues and paid professional penetration testers.
I couldn't easily find an answer but I'd like to know if this implementation has been validated by a professional or not.
If you rolled your own crypto and didn't install AF_ALG, you would have avoided copy fail.
Even in this case if you had implemented your own control panel, you wouldn't be hit.
Actually roll your own, don't add dependencies
When you pull in a generic auth or session library, you pull in a “can do everything” module rather than a “can do this one specific thing” module. So, your attack surface grows as do your odds of misconfiguration.
Sure, there will be more bugs in my code, but the attackers will be putting far more scrutiny into a widely used library.
Some deliberately hilariously weak auth I built decades ago is only just now starting to get broken into by AI bots, whereas any vulnerable wordpress was broken into within days.
The potential here to do all kinds of manipulation for search engines / AI tools is enormous. Perhaps the more scary thought is that someone could easily make an agent that would exploit both bugs to wipe out servers.
Good on these companies to publish their findings straight away as I'd imagine that both bugs would have fetched quite a lot on the black market.
You should read the other thread regarding copy fail and the gentoo maintainer. I haven't seen so many unhinged and outright rude comments on a security topic since the good old days of slashdot and x vs. y controversy of the day.
I wonder what the reason behind so much hostility is. Is it gentoo or the kernel folks or the fact that the company that found it used "AI"? No idea, but it was a weird read.
Wait. Wasn't there a whole group of people who thought this way recently? Wasn't it called the Department of Government Efficiency? Wasn't it led by a rich tech bro who wants to live on Mars? Didn't they get disbanded because it was a bunch of armchair experts who knew nothing about government and couldn't make anything efficient?
Maybe you want to apply to whatever they're working on next?
ALL of that goes through cpanel, for every shared hosting provider I can ever remember using. Even if the stuff happening on those servers didn't use perl, cpanel itself -- the admin of everything provided for that domain by the hosting provider -- it's a huge surface area.
I understand how they work, I'm familiar with HTML::Template, and related modules, so I can hack up a quick interactive/dynamic site in a couple of hours.
They're no longer things I'd run on the public internet, but for quick internal things it's very easy to deploy a container with a perl backend.
maybe because of it's association with really cheap, buggy hosts i explored in my teenage years. maybe because of their largely unnecessary complications (except enterprise maybe). maybe because of the tendency of large bloated depressing organizations to use these even in places they shouldn't.
not that many software have faith in are faring any better in this cve-storm.
personally, i manage my homelab through ssh via the commandline, and key-based ssh auth is secure enough for my threat model (i am considering switching the entrypoint machine to a BSD though, to avoid the kind of bugs distros sometimes introduce).
but a webserver and a few containerized services seem pretty low risk to me, so i do have a few of them exposed via reverse proxy. The more sensitive one behind Authelia via the forward-auth pattern, which i feel like is a really good fit for homelabs.
[0] cPabel seems to be from 1996. We’ve known this is a mistake since before 1996.
yikes. https://www.shodan.io/search?query=basic+realm%3D%22cPanel%2...
I would think that for everyone that needs some help, there must be 10 who self served…
They should have switched to a web framework long ago
Low key wonder if people using LLMs to scan these old code bases for corner case issues and fining treasure troves of exploits.
A couple of years ago I got really sick and tired of cPanel, and started trying all these alternatives. I'm not an Arch Linux SSH freak, I need a GUI. And none of the panels had old school functions like setting up FTP and such.
So good luck to the Estonian (I think?) developers of Fastpanel and good riddance to that bloated slug cPanel.
