Patches and Updates H-Sphere Winbox Security Update 2 For H-Sphere 2.4.2 Patch 4 and 2.4.3 RC 1



06 May 2005

This document explains how to patch your H-Sphere Winbox for the following H-Sphere versions:

  • H-Sphere 2.4.2 Patch 4
  • H-Sphere 2.4.3 RC 1

Important: Security Update 2 is also required for those who have updated H-Sphere Windows boxes with Security Update 1!

Security Update 2 fixes XSS vulnerability in the E-Guest preinstalled guest book.

Requirements:

  1. Make sure your H-Sphere Windows module has version 2.4.2 Patch 4 or H-Sphere 2.4.3 RC 1.
    Open the file [Disk]:\\HSphere\scripts\consts.inc and check the parameters.
    Note: If the version is older, update it to any of the mentioned versions. In this case skip the following procedures as new updates to these versions already include the fix.
  2. Open SOAP port 10125 for data communication between Control Panel and Windows server.
  3. Important: if you're using Serv-U FTP service, make sure to disable SOAP feature in the hsphere.properties file on the Control Panel box. Currently, H-Sphere with Serv-U installed doesn't support SOAP.

Upgrade:

  1. Update your Webshell to version 4 if you have an older version.
  2. Download:
  3. Run the .exe file you have downloaded to update H-Sphere Winbox with the security patch.
  4. After the H-Sphere upgrade, IIS will still run some modules of earlier versions. Restart IIS whenever it is convenient to ensure you run the updated modules.
  5. Optionally, install Pdb package for this Winbox version to log H-Sphere module's source information for crash reporting. Download the self-extracted archive: to the <H-Sphere dir>\pdb directory and extract the files there. Read more in Crash Reporting.
  6. Contact support and inform us about the upgrade. This is required to get appropriate support from PSoft.

Special thanks to Donnie Werner of exploitlabs.com for finding this vulnerability and notifying us.



Copyright 1998-2008. Positive Software Corporation.
All rights reserved.