I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.
These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.
They cannot be that bad if they are managing to be ductape of the internet.
I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
The concept of a GUI wrapper on top of the Linux ecosystem is what's broken.
Not because of a fundamental limitation of that architecture, but because in practice the type of people that will use it do not want to learn or develop the necessary skills to administer it, and critical information like man pages and parameter lists are hidden.
Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM/Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?
CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.
I highly doubt that. It's giant market and with these custom small sites made by third parties you actually want to have client owned hosting and third parties who deploy to that hosting. Clients have learned to separate these otherwise the third party can have huge leverage (your business and all data is ours).
There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.
Facebook started out PHP; but they ship-of-theseus'ed it into Hack by replacing the standard library, the language, and the runtime engine, so now it's a totally different thing with only a few superficial similarities (FWIW IMO Hack is much better than PHP, I'm sad that it never gained traction...)
Ages ago I used php-nuke to manage my forum and it got hacked and I thought it would get taken seriously
Seeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain
I don't agree that "old" necessarily implies vulnerability.
I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.
These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.
They cannot be that bad if they are managing to be ductape of the internet.
> They cannot be that bad if they are managing to be ductape of the internet.
I think there are just a whole lot of tools written for them. So non devs can spin things up and click some things together.
Is that safe and secure? Maybe, if the devs did their work well. But I'm positive no one reads the docs on how to configure something securely.
I think the real reason is that it's very cheap to host, and always has been
I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
How does that follow?
They have a big target on their back so the low hanging fruit is (mostly) gone.
cPanel is Perl.
The concept of a GUI wrapper on top of the Linux ecosystem is what's broken.
Not because of a fundamental limitation of that architecture, but because in practice the type of people that will use it do not want to learn or develop the necessary skills to administer it, and critical information like man pages and parameter lists are hidden.
You can't take shortcuts without consequences.
Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM/Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?
CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.
Such a different era.
If you look at the usage numbers, you could argue we are still in that era.
I miss this era, we overcomplicated everything
People are still using cpanel?
Most shared hosting plans use cpanel. It's still widely used yes for a lot of smaller websites.
And even if it doesn’t look like it chances are it still is with a fancier ui on top.
I wonder how much shared hosting is there really left, I imagine much of it move to VPS or cheap cloud boxes.
I highly doubt that. It's giant market and with these custom small sites made by third parties you actually want to have client owned hosting and third parties who deploy to that hosting. Clients have learned to separate these otherwise the third party can have huge leverage (your business and all data is ours).
There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.
The ROI has just increased by like 10x or 100x this week.
CPanel on shared hosting running WordPress PHP is literally half of the entire internet still.
And if it's not cpanel, it's Plesk
Half of the entire internet is Meta properties.
That’s the other half.
Coincidentally also PHP.
Facebook started out PHP; but they ship-of-theseus'ed it into Hack by replacing the standard library, the language, and the runtime engine, so now it's a totally different thing with only a few superficial similarities (FWIW IMO Hack is much better than PHP, I'm sad that it never gained traction...)
Much of what was good in Hack just got rolled into PHP.