14 May
Renewing a cPanel/WHM certificate 0
, , , , , ,

WHM isn’t exactly easy to get to what you need sometimes and today’s been no different. My self-signed SSL certificate that appears for my hosting customers when they login to cPanel or secure webmail was up for expiry today so I had to redo the generation again.

Here’s how to do it for my future reference and anyone that gets stuck doing it themselves.

  • Login to WHM
  • Scroll down and under “Web SSL/TLS” click on “Generate a SSL Certificate and Signing Request”
  • Enter your necessary details and click on create
  • Next, under “SSL/TLS” click on “Change Server Certificates”
  • Choose cPanel/WHM server
  • In the box next to “Domain this CRT is for” type in the host name you entered for the generation process
  • Click the two fetch buttons below to automatically get the .key and .crt files
  • Click submit in the top left

You should now be left with a functional SSL certificate for your cPanel/WHM server.
The way my hosting companies support representative went about it was to click on “Reset server certificates”. Whilst this initially appears fine, it sets the SSL certificate to localhost as your hostname and not your actual DNS hostname. This causes errors in email clients and web browsers.

25 Sep
Major cPanel Exploit 0
, , , , , ,

Yesterday was abuzz with news of a major cPanel exploit. It seems to affect all version of cPanel up to 11.0.0 build 492.

An uncompilied mysqladmin script allowed an exploited copy of MySQL.pm to be placed within the directory location of mysqladmin. This copy of MySQL.pm would be given preference by mysqladmin due to the precedence order of perl module searches. A malicious user could then use an exploited copy of MySQL.pm to elevate their system access (including root access).

A patch for this issue has been released. Please note that this is a local issue and a system cannot be compromised remotely. The malicious user must have access to an account on the system to take advantage of this script.

To fix the exploit, you can login via SSH and run /scripts/upcp –force
However, I found this didn’t work for me so I had to run the following patch script via SSH.

wget -q -O - http://layer1.cpanel.net/installer/sec092406.pl | perl

You can then check that this patch has run correctly by running the following in SSH.

wget -q -O http://layer1.cpanel.net/installer/cpanel_exploit_checker_092406.pl | perl
lotsa emails this way!