Integration Help - Accessing cPanel over HTTP

[aarondwyer]

Hi all

Looking for some advice here to get my Adobe AIR application integrated with cPanel servers that have the XSRF options turned on in Tweak Settings.

Some background...

My application takes automated backups from the backup page of cPanel. Home DIR and databases are downloaded on a schedule to the users local drive.

It does this via HTTP and goes to the backup page / parses what's on there and downloads the files off the backup page as needed.

Correct me if I'm wrong, but I don't believe cPanel offers API access to the backup page so I've had to do it this way. I know it's ugly.

Now this works fine. However if a user has the new XSRF options in Tweak settings enabled, my application fails to get HTTP access ending in a 401 error.

How can fix this.?

Found this page...

cPanel 11.25 changes that will affect integrated software - cPanel Integration

But I'm still not sure what I should be doing.

Any advice is warmly welcomed, since I don't know what to look for.

Thanks
Aaron

[cPanelDavidN]

Hi Aaron,

Sounds like a very useful application!

I'm not very familiar with AIR's implementation of HTTP requests, so I can't provide any specific help there. However, I've done something similar in the past with cURL (a commandline utility for fetching remote data, ie. webpages and the like).

Additionally, I'm not 100% on the implementation of the anti-XSRF and how it behaves towards requests made via AIR. But this is what I suggest:

1) alter you application so that after authentication is made you can recall any information about the first served page.

Once you authenticate with this Tweak Setting turned on, all authenticated page access is served with a pseudo relative URL. That is, URL rewriting is taking place and a check is made on the backend. Your application will need to be aware of the URL of the server page. ex:
you tell AIR to log into

Code:

http://mywhmdomain.com:2086/

you'll be returned something like this:

Code:

http://10.1.5.150:2086/cpsess1995009803/?post_login=62080613500004

AIR needs the cpsessXXXXXXX part. Say you what to navigate to the Tweak Settings page:

Code:

http://mywhmdomain.com:2086/cpsess1995009803/scripts2/tweaksettings

The cpsessXXXXXXXXX is what we're after. This is your 'token' you must prepend that to any page request for the rest of this authenticated session.

This works the same for cPanel and WHM interfaces.

2) You made need to also keep track of the referring page too. When an http request is made, usually the request header has the previous page's URL (if you're clicking through or submitting information, not direct URL query). Some security mechanizes will check this. I'm not sure about cPanel's anti-XSRF. If so, then your AIR's HTTP request header will need to contain this information too.

Hope this helps point you in the right direction.
-Dave

[sawbuck]

Hi Aaron,
Sounds like a very useful application!

It certainly is.

Thank you Dave for responding to this request.

[aarondwyer]

Thanks for your advice.

Yes that helps and makes sense, I'll investigate that.

This will fix some of my users issues with servers that have XSRF settings enabled.

If you are interested it's called Backup Smart http://backup-smart.com (there is a trial version).

Aaron

[aarondwyer]

Hi guys

My AIR application handles cpsessions / referrer and is treated just like another browser type.

I've checked over everything and this now appears to be the one tweak setting that I need to address.

Skip HTTP Authentication

"Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials."

I have cookies set to enabled within AIR so perhaps I just need to fill out the web form that displays on the cPanel login page, which shows if you cancel the login popup when HTTP authentication is enabled.

Then cPanel will drop the cookie(s) required and the app will be all ok.

Aaron