This document explains how to patch your H-Sphere Winbox for the following H-Sphere versions:
- H-Sphere 2.4.2 Patch 4
- H-Sphere 2.4.3 RC 1
Important: It is also required for those who have updated H-Sphere Windows boxes with
Security Update 1
Security Update 2 fixes XSS vulnerability in the E-Guest preinstalled guest book.
- Make sure your H-Sphere Windows module has version
2.4.2 Patch 4 or H-Sphere 2.4.3 RC 1.
Open the file [Disk]:\\HSphere\scripts\consts.inc and check the parameters.
Note: If the version is older, update it to any of the mentioned versions.
In this case skip the following procedures as new updates to these versions
already include the fix.
- Open SOAP port 10125 for data communication between Control Panel and Windows server.
Important: if you're using Serv-U FTP service, make sure to disable SOAP feature in the
on the Control Panel box. Currently, H-Sphere with Serv-U installed doesn't support SOAP.
- Update your Webshell to version 4 if you have an older version.
- Run the .exe file you have downloaded to update H-Sphere Winbox with the security patch.
- After the H-Sphere upgrade, IIS will still run some modules of earlier versions.
whenever it is convenient to ensure you run the updated modules.
- Optionally, install Pdb package for this Winbox version to log H-Sphere module's source information for crash reporting.
Download the self-extracted archive:
to the <H-Sphere dir>\pdb directory and extract the files there.
Read more in Crash Reporting.
- Contact support and inform us about the upgrade.
This is required to get appropriate support from PSoft.
Special thanks to Donnie Werner of
exploitlabs.com for finding this
vulnerability and notifying us.