cPanel exploit - 09/23/06
Update - 09/26/06
New patch has been released:
A new thread has also been opened concerning this:
A cPanel exploit was discovered that apparently raises escalation privileges for normal users. The exploit is a local exploit, which means a user must first have an account or be able to gain access to a cPanel account before initiating this exploit. cPanel developers have released a patch to temporarily prevent this, and from my understanding they are continuing to check over other pieces of code and a more robust patch may be released at a later time.
Administrators are encouraged to update cpanel by running:
on their servers. This will apply patches to the affected system.
Also a script has been written by Nick from cPanel that checks to insure that your system is patched against this. The script is downloaded from the thread at:
Or, I have made this script locally available at:
To run the script, just download the script to your server and run it with perl:
More information concerning this exploit is available at the cPanel forums: