Yesterday was abuzz with news of a major cPanel exploit. It seems to affect all version of cPanel up to 11.0.0 build 492.

An uncompilied mysqladmin script allowed an exploited copy of MySQL.pm to be placed within the directory location of mysqladmin. This copy of MySQL.pm would be given preference by mysqladmin due to the precedence order of perl module searches. A malicious user could then use an exploited copy of MySQL.pm to elevate their system access (including root access).

A patch for this issue has been released. Please note that this is a local issue and a system cannot be compromised remotely. The malicious user must have access to an account on the system to take advantage of this script.

To fix the exploit, you can login via SSH and run /scripts/upcp –force
However, I found this didn’t work for me so I had to run the following patch script via SSH.

wget -q -O - http://layer1.cpanel.net/installer/sec092406.pl | perl

You can then check that this patch has run correctly by running the following in SSH.

wget -q -O http://layer1.cpanel.net/installer/cpanel_exploit_checker_092406.pl | perl