(www.copahost.com)
Seeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain
They cannot be that bad if they are managing to be ductape of the internet.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
https://www.sentinelone.com/vulnerability-database/cve-2021-...
I think there are just a whole lot of tools written for them. So non devs can spin things up and click some things together.
Is that safe and secure? Maybe, if the devs did their work well. But I'm positive no one reads the docs on how to configure something securely.
I think the real reason is that it's very cheap to host, and always has been
Oh, it very much can be that bad. Most "security" relies on the Hungry Tiger Theory of Security(tm).
My system doesn't need to be "secure". My system simply needs to be more secure than yours. As long as there is an easier and/or more valuable target somewhere, I'm "secure". I don't need to outrun the hungry tiger; I only need to outrun you outrunning the hungry tiger.
That theory, of course, doesn't hold anymore when there are enough tigers to simply eat everybody. And that's what AI did; it multiplied the tigers enough that they can just gorge on everything.
Now, people are going to have to put in "actual security" or lose real money over and over and over. And since everybody has outsourced everything, nobody knows how to fix it quickly. The lawyers are going to have a field day.
At the end, however, we'll have real security on our internet facing systems. But man, it's going to be painful for a while.
As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.
Keeps the server-side backend minimal and auditable.
Also walrus from old, old UBNT forum? If so, hello :)
That is a nugget, it's so true.
Wrappers in general are such an issue in software. Wrappers built on top of wrappers, this desire to abstract everything away makes things look simpler, but every layer slows things down and hides what is actually happening. Every wrapper is another layer of complexity, another hoop to jump through when you're looking for a solution to a problem.
He said he was worried but he had backups upon backups. I saw him restore a bunch of websites once, using cpanel, and I thought it is an amazing little bit of software with all of the click a button to setup many different things (like WAF). A real time saver and provides some guidance if you are not a unix-internet guru.
Is there any specific LAMP web app(s) that has a very good history of not being hacked?
I can't think of any readily but I imagine someone here knows one or two.
Ever seen the upsell offers in the check-out workflow for hosting packages that come when you buy a new .com domain from any major registrar? All those are shared hosting packages where everything is done through some sort of web gui.
Coincidentally also PHP.
Now there's a name I haven't heard since the 2005 or so era.
How is that thing still around?
Next you're going to tell me people still run phpBB and vBulletin somewhere. And use FileZilla FTP. And manage their database with phpMyAdmin.
LAMP apps are frequently mentioned in RCE CVEs.