Category: Rants

When “Just Input Sanitization” Means Remote Code Execution

Hosting, Rants, Technology

On April 28, 2026, cPanel disclosed CVE-2026-41940, an authentication bypass affecting nearly every supported version of cPanel and WHM, including a substantial backport range covering older releases. The bug let an unauthenticated remote attacker forge a fully privileged WHM session by exploiting how the server wrote certain HTTP-derived metadata into its session files. The fix went out quickly. Backports went out fast and reached an unusually wide range of older releases. Hosts around the world spent that day blocking ports, killing proxy domains, and refreshing the cPanel advisory page as it updated by the minute.

This isn’t a post about that specific bug. The bug got fixed, and the cPanel security team did the work quickly. What I want to write about is something I started noticing during and after that incident: the gap between what serious vulnerabilities actually do and how vendors describe them in public.

A note on names. cPanel has been owned by WebPros since 2018. When I refer to WebPros in this post, I mean the company as a whole. When I refer to the cPanel team, I mean the people doing the day-to-day technical work on the product. Same company, not always the same decisions. The technical work I have seen from the cPanel side has generally been good, and the April 28 response was fast and competent. My criticism here is aimed at policy: public vulnerability classification, disclosure handling, and whether published bug bounty programs are applied consistently.

There’s a pattern in vulnerability disclosure that doesn’t get enough attention. A researcher reports a serious bug. The vendor accepts the report, patches it, and then publishes an advisory that describes the issue in language so deflated you’d never know what was actually fixed. A remote code execution vulnerability becomes “an input validation issue.” A privilege escalation becomes “improper access control.” A pre-auth exploit chain becomes “a hardening improvement.”

The bug gets fixed. That part is good. But the way it gets described to the public matters too.

Continue reading
Share
CloudMark

CloudMark / CloudFilter.net – Filtering Legitimate Messages and providing no FBL or JMRP.

Business, Email, Hosting, Rants

The current issue.

Over the last few months, the company I work for has been having issues with a company called “CloudMark” blocking the legitimate messages of our users sent to their clients. This has resulted in emails sent to AT&T, T-Mobile, COX Cable, and others to fail. While I’m happy for CloudMark to have expanded and acquired all of these large ISP customers – it hasn’t been a good experience for other service providers trying to reach users protected by CloudMark.

Our clients are having issues sending legitimate email messages to people at AT&T, T-Mobile, COX, and a few others – and we’ve had zero luck working with CloudMark to resolve the issue permanently. While we have managed to get them to unblock us a couple of times – we haven’t had any luck getting any details so we can cure the source instead of putting a bandage over the symptom.

Continue reading
Share

Trustpilot Content Integrity Team doesn’t know what a “reach around” is.

Business, Rants, Reviews

We received the following obviously fake review:

I will warn you – this paragraph will describe an obscene sexual act – for those that may not know. I am sure some people do not know what a “reach around” is. If you don’t want to read the description skip to the next paragraph. A “reach around”, in the context of this “review”, is when one man masturbates another man while performing anal intercourse with him. This is inherently obscene, no?

You would imagine that someone responsible for reviewing reports of obscene reviews at Trustpilot would be aware or at least spend the 10 seconds it would take to research the term.

It seems that Trustpilot’s Content Integrity Team doesn’t understand this and has informed me, after flagging this review, that it is in fact not obscene. I wonder how over-worked and under-paid Trustpilot Content Integrity Team members are.

It is absolutely terrifying that the people employed to review flagged content, particularly content flagged as obscene, do not understand what they are reviewing well enough to make an appropriate decision in this situation.

Come on Trustpilot, you can do better. Your failure to handle this properly is, in and of itself, obscene.

Share

A word of warning about Trustpilot Automatic Invitations

Business, Hosting, Rants, Reviews

If you are allowing Trustpilot to invite your users to submit reviews you need to be very careful about who and how Trustpilot sends those invitations. The company that I work for uses Trustpilot to collect reviews from customers and recently an individual that wasn’t a customer and had no experience using our services mistakenly received an invite from Trustpilot. Technically speaking this invitation being sent was due to a minor mistake on our end and that’s one of the main reasons I want to provide this warning – so that you do not make the same mistake.

Trustpilot for a time allowed you to simply send a link to an form to invite customers to write reviews. For a few years this worked fine until they decided that they wanted to handle the review invitations themselves. Somehow they believe that by them sending the invitation instead of you – that it adds legitimacy to the reviews. We actually had a warning on our Trustpilot page for a bit after this change warning that our reviews may not be legitimate due to using manual invitations [i.e. links in our email signatures, new order confirmation emails, etc].

Continue reading
Share
Gravely Pro-Turn Z 52"

Don’t trust Gravely with your money.

Business, Equipment, Miscellaneous, Mowing, Rants, Reviews

You might have read my post about the issue I had with my Gravely Pro-Turn Z 52″ Mower. In the end they offered to send me a hat as compensation for the matter. I asked for a small bottle of touch-up-paint and to my surprise they sent the paint but not the hat.

Well to be honest I wasn’t entirely happy with my experience so I left an honest review of the machine as well as my experience on their site. Here’s an image of the review:

Continue reading
Share

WHMCS – Half Implementing Features since 2007

Business, Hosting, Miscellaneous, Rants

I’ve been using WHMCS as a billing and support platform for web hosting since 2007, for over 13 years now, and as near as I can tell WHMCS was founded in 2005. There have been issues over the years where there was unexpected behavior or unexpected changes during upgrades but every software vendor is going to roll out a bug here or there. Even companies with the best quality assurance and testing are bound to have something slip by – and I understand this.

While I do not and have not ever expected perfection and I do understand that bugs can happen sometimes feature implementation is just poor at best or processes are not well thought-out and planned. The most recent instance of this that has caused me problems is Premium Domain Support in WHMCS. This feature was added to WHMCS in version 7.1 which was released over 4 years ago.

Continue reading
Share

WebHostingTalk.com – Where you can break the rules without breaking the rules.

Hosting, Rants

I have been a member at WebHostingTalk.com, or WHT for short, since December of 2007. I can’t say that I haven’t run afoul of their rules on several occasions since then because I most certainly have. Although I have always personally done my best to make sure I understood and followed the rules there have still been situations where I have mistakenly broken the rules.

In the situations where I accidentally broke a rule it was always very helpful to be able to discuss the incident with the moderation staff in order to get a clearer understanding of what I did wrong and how to avoid it in the future. I’m human and by nature fallible – I will make mistakes – I am not perfect. What is important is that I am able to learn from my mistakes to avoid making them again in the future.

Continue reading
Share

The Small Business Administration – The Disaster during The Covid-19 Disaster

Business, News, Rants, Reviews
U.S. Small Business Administration Logo

I’ll start by saying that the company I own and operate has been in business since late 2007. In nearly 13 years of being in business we have never applied for funding through the SBA or anywhere else as we didn’t need it. Personally I absolutely hate owing money be it to a person or to an organization.

I have heard from other business owners that working with the Small Business Administration, or the SBA for short, isn’t easy and that even if you qualify you’ve got a 50% chance of approval. I do know a few small businesses that have SBA loans for business property.

Continue reading
Share

AT&T Business Internet [u-Verse] – Slow to replace lightning-damaged equipment

Business, Miscellaneous, Rants

Dead AT&T DSL ModemAt the office where I work unfortunately there are no fiber optic options.  Before we signed the lease we reached out to the local ISP that provides fiber connections for our area and confirmed that they serviced the location we were looking at leasing.  The ISP told us they did service our building and we didn’t find out until after we signed our lease and arranged to set up service that they do not actually service this location.  Sadly enough the only option we have here is AT&T vDSL [AT&T uVerse Business Internet DSL].

We experienced some pretty intense storms today / this evening and experienced several very close lightning strikes.  At least a couple of strikes were within several hundred feet of our office and one of them managed to take out our AT&T uVerse DSL Modem.  Being that AT&T has numerous corporate stores within a short driving distance I really didn’t imagine getting this damaged equipment replaced would be an issue.

Continue reading

Share
1-800-Flowers.com

If you want to show somebody you love them – avoid 1-800-Flowers.com

Rants, Reviews

Depending on how well you know me you may be aware of my aversion to talking on the phone.  It’s not so much that I hate talking on the phone as much as I hate how it totally destroys my ability to multi-task.  When I am working I will be handling a dozen or two different tasks at once on my computer without issue but the second I’m on the phone that all goes out the window.

Generally if I want to look into something or accomplish something I’ll find a way to do it via my computer which I can do without putting everything else I’m working on on complete hold.  Realistically I should have taken the time to find a local florist and called them up to arrange for the delivery of some flowers for my wife.  I instead went to “1-800-Flowers.com” to see if they could deliver today – and they could!

Continue reading

Share