undefined | Better HN

0 pointszuzululu15h ago0 comments

Ages ago I used php-nuke to manage my forum and it got hacked and I thought it would get taken seriously

Seeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain

0 comments

Cpanel is Perl, not PHP. Probably the grayest of the gray beards. Perhaps not enough Perl Wizards left to maintain it nowadays.

TZubiri14h ago

The concept of a GUI wrapper on top of the Linux ecosystem is what's broken.

Not because of a fundamental limitation of that architecture, but because in practice the type of people that will use it do not want to learn or develop the necessary skills to administer it, and critical information like man pages and parameter lists are hidden.

You can't take shortcuts without consequences.

walrus0113h ago

Remember 'webmin'?

As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.

https://cockpit-project.org/

mappu8h ago

I was pleasantly surprised to learn the architecture for this - a minimal backend that does a PAM auth and gives you a shell over websocket, with only your own Linux user credentials - and then everything else (from managing files to apache to VMs) is done in frontend javascript.

Keeps the server-side backend minimal and auditable.

esseph10h ago

Also comes default on Red Hat Enterprise Linux, Rocky Linux , AlmaLinux, Oracle Linux, and SUSE.

Also walrus from old, old UBNT forum? If so, hello :)

majicDave12h ago

> The concept of a GUI wrapper on top of the Linux ecosystem is what's broken

That is a nugget, it's so true.

Wrappers in general are such an issue in software. Wrappers built on top of wrappers, this desire to abstract everything away makes things look simpler, but every layer slows things down and hides what is actually happening. Every wrapper is another layer of complexity, another hoop to jump through when you're looking for a solution to a problem.

1 more reply

ricardonunez14h ago

Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM/Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?

walrus0113h ago

I would worry less about big shared hosting providers, who have a strong interest in patching their stuff quickly, than the market of people who get one or two dedicated servers or KVM VMs and then install cpanel on them and for the rest of the time they use it, ignore the CLI of the servers and never patch anything. There's a lot of small users of cpanel that have just a few licenses.

doublerabbit9h ago

Php-nuke was the hacking testing ground. Nuke was atrocious for exploitation.

jszymborski8h ago

I was thinking about php-nuke I while back and it's terrible security rep. I figured it was just the regular PHP foot guns of the era, but I took a look at the code recently and boy howdy that was some truly atrocious code. I'm not security person (although perhaps security minded) and I found a million problems after a cursory glance.

dainiusse15h ago

I don't agree that "old" necessarily implies vulnerability.

pixl9714h ago

I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.

omnimus14h ago

These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.

They cannot be that bad if they are managing to be ductape of the internet.

6 more replies

tclancy11h ago

As a coder who just hit 50, trust me, it does.

j / k navigate · click thread line to collapse

0 comments

bouncycastle1h ago

Cpanel is Perl, not PHP. Probably the grayest of the gray beards. Perhaps not enough Perl Wizards left to maintain it nowadays.

TZubiri14h ago

The concept of a GUI wrapper on top of the Linux ecosystem is what's broken.

You can't take shortcuts without consequences.

walrus0113h ago

Remember 'webmin'?

As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.

https://cockpit-project.org/

mappu8h ago

Keeps the server-side backend minimal and auditable.

esseph10h ago

Also comes default on Red Hat Enterprise Linux, Rocky Linux , AlmaLinux, Oracle Linux, and SUSE.

Also walrus from old, old UBNT forum? If so, hello :)

majicDave12h ago

> The concept of a GUI wrapper on top of the Linux ecosystem is what's broken

That is a nugget, it's so true.

1 more reply

ricardonunez14h ago

walrus0113h ago

doublerabbit9h ago

Php-nuke was the hacking testing ground. Nuke was atrocious for exploitation.

jszymborski8h ago

dainiusse15h ago

I don't agree that "old" necessarily implies vulnerability.

pixl9714h ago

I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.

omnimus14h ago

They cannot be that bad if they are managing to be ductape of the internet.

6 more replies

tclancy11h ago

As a coder who just hit 50, trust me, it does.

j / k navigate · click thread line to collapse