Wow, similar sentiments about this being a throw back. I’d rather roll my own almost everything these days, may not be as good, but certainly won’t be targeted exploited broadly.
I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.
These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.
They cannot be that bad if they are managing to be ductape of the internet.
I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
The concept of a GUI wrapper on top of the Linux ecosystem is what's broken.
Not because of a fundamental limitation of that architecture, but because in practice the type of people that will use it do not want to learn or develop the necessary skills to administer it, and critical information like man pages and parameter lists are hidden.
As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.
Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM/Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?
CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.
I highly doubt that. It's giant market and with these custom small sites made by third parties you actually want to have client owned hosting and third parties who deploy to that hosting. Clients have learned to separate these otherwise the third party can have huge leverage (your business and all data is ours).
There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.
Facebook started out PHP; but they ship-of-theseus'ed it into Hack by replacing the standard library, the language, and the runtime engine, so now it's a totally different thing with only a few superficial similarities (FWIW IMO Hack is much better than PHP, I'm sad that it never gained traction...)
Seeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain
They cannot be that bad if they are managing to be ductape of the internet.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
I think there are just a whole lot of tools written for them. So non devs can spin things up and click some things together.
Is that safe and secure? Maybe, if the devs did their work well. But I'm positive no one reads the docs on how to configure something securely.
I think the real reason is that it's very cheap to host, and always has been
Not because of a fundamental limitation of that architecture, but because in practice the type of people that will use it do not want to learn or develop the necessary skills to administer it, and critical information like man pages and parameter lists are hidden.
You can't take shortcuts without consequences.
As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.
https://cockpit-project.org/
Coincidentally also PHP.