H-Sphere Versions H-Sphere Winbox Security Update 1 For H-Sphere 2.4.2 Patch 4 and 2.4.3 RC 1

05 May

This document explains how to patch your H-Sphere Winbox to prevent disclosure of security related information in the log files.
The update can be applied to:

  • H-Sphere 2.4.2 Patch 4
  • H-Sphere 2.4.3 RC 1

If your H-Sphere version is older, update it to any of the mentioned versions. In this case skip the following procedures as new updates to any of the two versions already include the fix.


  1. Make sure your H-Sphere Windows module has version 2.4.2 Patch 4 or H-Sphere 2.4.3 RC 1.
    Open the file [Disk]:\\HSphere\scripts\consts.inc and check the parameters.
  2. Open SOAP port 10125 for data communication between Control Panel and Windows server.
  3. Important: if you're using Serv-U FTP service, make sure to disable SOAP feature in the hsphere.properties file on the Control Panel box. Currently, H-Sphere with Serv-U installed doesn't support SOAP.


  1. Update your Webshell to version 4 if you have an older version.
  2. Download:
  3. Run the .exe file you have downloaded to update H-Sphere Winbox with the security patch.
  4. After the H-Sphere upgrade, IIS will still run some modules of earlier versions. Restart IIS whenever it is convenient to ensure you run the updated modules.
  5. Optionally, install Pdb package for this Winbox version to log H-Sphere module's source information for crash reporting. Download the self-extracted archive: to the <H-Sphere dir>\pdb directory and extract the files there. Read more in Crash Reporting.
  6. Contact support and inform us about the upgrade. This is required to get appropriate support from PSoft.

Special thanks to Donnie Werner of exploitlabs.com for finding this vulnerability and notifying us!

Home   Products   Services   Partners   Support   News   Contact   Forum
© 2020 psoft.net
All rights reserved.