This document explains how to patch your H-Sphere Winbox to prevent
disclosure of security related information in the log files.
The update can be applied to:
- H-Sphere 2.4.2 Patch 4
- H-Sphere 2.4.3 RC 1
If your H-Sphere version is older, update it to any of the mentioned versions.
In this case skip the following procedures as new updates to any of the two versions already include the fix.
- Make sure your H-Sphere Windows module has version
2.4.2 Patch 4 or H-Sphere 2.4.3 RC 1.
Open the file [Disk]:\\HSphere\scripts\consts.inc and check the parameters.
- Open SOAP port 10125 for data communication between Control Panel and Windows server.
Important: if you're using Serv-U FTP service, make sure to disable SOAP feature in the
on the Control Panel box. Currently, H-Sphere with Serv-U installed doesn't support SOAP.
- Update your Webshell to version 4 if you have an older version.
- Run the .exe file you have downloaded to update H-Sphere Winbox with the security patch.
- After the H-Sphere upgrade, IIS will still run some modules of earlier versions.
whenever it is convenient to ensure you run the updated modules.
- Optionally, install Pdb package for this Winbox version to log H-Sphere module's source information for crash reporting.
Download the self-extracted archive:
to the <H-Sphere dir>\pdb directory and extract the files there.
Read more in Crash Reporting.
- Contact support and inform us about the upgrade.
This is required to get appropriate support from PSoft.
Special thanks to Donnie Werner of
exploitlabs.com for finding this
vulnerability and notifying us!