This is cPanel's full response to David Collins:
> Hello and thank you again for reporting this security issue to
> cPanel. We appreciate your interest in helping secure the shared
> hosting environment.
>
> cPanel attempts to deliver a default configuration that suits the
> majority of our customers. cPanel makes every attempt to provide
> straight forward interfaces that allow server administrators to
> configure their hosting platform to serve the needs of their end
Apache implementation directory traversal and sensitive file disclosure in Shared Hosting environment.
Chris Dixon and David Ibarra of the Hostgator.com Support Team discovered a severe vulnerability exists specifically in several large
scale "pre-packaged" Apache implementations such as cPanel which allows a user to traverse directories and view any file which has readable
access by the webserver. Our proof of concept demonstrates exploitation via a symlink in a chrooted jailed shell. This can be disabled by enabling the
SymLinksIfOwnerMatch option in Apache however you must also change the AllowOverride default options as well. We also provide an Apache patch
which can be implemented directly via an easyapache hook in order to disallow symlinks followed by anyone other than their owners.
cPanel developers were notified of this vulnerability and given time to hotfix the issue.
VI. BUSINESS IMPACT
-------------------------
The Local PHP File Inclusion vulnerability can be especially dangerous
in a
shared hosting environment. Even if server has been configured to
prevent
users from reading each other's document roots (web server/PHP process
running in a context of the site's owner), an attacker that has an
account on
the same server as the targeted site could use the vulnerability to
