Hacker News

The Internet Is Falling Down- CPanel/WHM Authentication Bypass CVE-2026-41940

41 points by zikani_03 4 hours ago | 13 comments

superasn 41 minutes ago

Everytime I read one of these it always boils down to the same thing..Don't solve solved problems. And the best code in this case is code you didn't write as PHP's session handler is battle-tested but every line you write to roll your own is a line you have to secure, maintain, and eventually patch at 2am when someone finds the bug.

Session handling, auth, crypto, password hashing etc - all these are the exact areas where you should be the most allergic to rolling your own. Not because you're not smart enough, but because a simple bug like sanitizing in the wrong place and the failure is catastrophic like in this instance.

Use boring, proven, widely-audited solutions. Save your creativity for the actual problem you're solving.

bananamogul 30 minutes ago

“And the best code in this case is code you didn't write as PHP's session handler is battle-tested”

cPanel is written in perl.

ryandrake 32 minutes ago

I don't even know why you'd want to re-implement this stuff, too. It's not exciting or sexy work. It's like time parsing, time zone handling, leap years... Why would you want to inflict that on yourself? You will 100% not handle every edge case, and you will 100% get time and time zone handling bugs.

shawnz 10 minutes ago

cPanel is 30 years old, are you saying it's not battle tested, boring, proven, and widely audited?

In fact PHP is only a few months older than it.

yabones 39 minutes ago

Oooooh that's really bad. Wordpress on Cpanel sites is like the Dark Matter of the internet, it's everywhere and you don't see it until something bad happens. Libations for the sysadmins patching & cleaning up this mess.

Loudergood 36 minutes ago

That's gonna pair really well with this.

https://copy.fail

yunnpp 29 minutes ago

Why? This one gives you a root shell directly, no need for an LPE.

debo_ 2 hours ago

I wonder how much of the web still runs on perl. I miss it sometimes.

mushufasa 40 minutes ago

I used to help nonprofits and small businesses build websites. Process always went like 1. buy domain, 2. buy a shared hosting provider that one-click-installs Wordpress, 3. use a theme to begin editing the website. Often, I would also use the email included with that hosting provider for the firm.

ALL of that goes through cpanel, for every shared hosting provider I can ever remember using. Even if the stuff happening on those servers didn't use perl, cpanel itself -- the admin of everything provided for that domain by the hosting provider -- it's a huge surface area.

ls612 20 minutes ago

Something that is starting to concern me with the flood of cyber chaos in the past couple of months is my homelab. Currently I do not have it set up to be accessible outside the local network and then add it and all my other devices to my tailnet to facilitate remote access (via an exit node on my local network). On top of that TrueNAS doesn't seem to have the best update cadence so I'm worried about having a system with known vulnerabilities only protected by not being accessible remotely in theory.

ChrisArchitect 29 minutes ago

Earlier: https://news.ycombinator.com/item?id=47967974

mushufasa 42 minutes ago

Oh dear.

0xbadcafebee 2 hours ago

Y'know what would help protect those internet buildings from falling on people? A software building code