warrning for everyone about major bug in cpanel/whm that will not be fixed soon.

[naox]

I posted this bug into bugzilla 3-4 times in the past year. Absolutly no fix.

I warn everybody about major security fix in cpanel that might allow to steal any password really.

Problem is that if you have 2 servers with dns clustering. Example

on server no 1 you got account login admin, where you got your hosting site www.hostingsite.com

on server no 2 someone else have account. So now he types hostingsite.com on park domain in his cpanel. voila! now www.hostingsite.com points to his account, and with a little skill he can intercept many.. many passwords.

Why? Because cpanel when parking domain dont check if domain is allready present in dns zone. It only checks if it is in httpd.conf at other user.

Easy fix you would say. Dont allow parking of domains that allready are in dns zones. But no one cares you know. fix problably wont be maked in 5-6 years, because it haven't been in last year or more when I first noticed a bug.

Its just a warning for everyone

[DigitalN]

The fix would be a bit more involved, since whm transfers allow you to transfer accounts between clustered dns servers, so the not allowing the account to be setup, full stop, would not be ideal.

You do also need to know the accounts that are hosted on the other server to make use of this but I would agree that it should be corrected, possibly limited to root transfers or some other acl limitation.

[naox]

I dont see real connecton between needed 'do not allow park domains that are in dns from cpanel' and accoutn transfer from whm. It is in fact quite separate...

its quite simple. users from cpanel - addon domains/parked domains sould not be allowed to park domains that have dns zones on local dns server

at current situation ANY user on your second clustered server can hijack your domain or any other at other clustered server. Do you think about it as little bug?

[DigitalN]

I dont see real connecton between needed 'do not allow park domains that are in dns from cpanel' and accoutn transfer from whm. It is in fact quite separate...

Completely seperate, no I don't think so, not really.
That's why I suggested the requirement for an acl to detect if the domain is being added by the root user or not - The processes for creating accounts/parks and anything else that creates accounts and dns zones are highly relevant to each other, as they use the same the same code and acl checks.

Whats to stop someone not parking the domain, but a reseller to create a new account? Its much the same as root transferring the account, as the account is created, much the same as it would be if you logged into whm and created it. Its not just limited to parked domains.

[naox]

then parking domain from cpanel need to have pre-check before starting this all in one code

[DigitalN]

The best thing to do is as you have done, log a bugzilla and wait for the devs to resolve the problem. Look objectively into having the issue resolved, rants seldom do any good, following the bugzilla requirement and letting the dev team know is the best that you can do.

Where is the bugzilla report? If you post the link to it, maybe people will vote on it.

[haze]

If its a matter you wish to bring to their attention, forward the bugzilla ID to security@cpanel.net

[cPanelBilly]

If its a matter you wish to bring to their attention, forward the bugzilla ID to security@cpanel.net

Do NOT do this, forwarding bugs that are not of a security concern to security@ will get your email banned from the address.

[haze]

My bad. I just thought if there was enough concern from the individual, it may have been the best way to get the attention of the devs.

[cgoleman]

Did I miss something or isn't this "a security concern" ?

[DigitalN]

I posted this bug into bugzilla 3-4 times in the past year. Absolutly no fix.

I can't see the bugzilla additions regarding this, can the poster let us know which bugzilla id to look at, also did you send the bug to security@cpanel.net too?

I do think it's a security issue, if it indeed exists, but a minor one that only servers in dns clusters would be vulnerable to. Still needs to be fixed if it's true.

[.:RAIS:.]

also did you send the bug to security@cpanel.net too?

As posted above by a cPanel dev and staff member, doing so can get your email blacklisted (banned) from the email address.

As for it being a security threat, I dont think that it really is. Any ( Good and experienced ) hacker can get that information by running scripts that are on the server, all he needs is an account with you. Although there should be some checks to ensure that the domain is not installed on your network of clustered servers.

[DigitalN]

I think this case qualifies for a legitimtate security@cpanel.net email to point to the bugzilla entry, if the bug actually does exist.

But the question is, has the poster actually posted the bugzilla he has claimed he has, as he hasn't been back to verify that thus far.

[.:RAIS:.]

Do NOT do this, forwarding bugs that are not of a security concern to security@ will get your email banned from the address.

Case In Point

[DigitalN]

Not really case in point, cPanel Billy imho has mis read this thread.

It's a security issue to me, however you may classify it, so ignoring the thread when a security issue is announced and not taking it any further, imho is a bit irresponsible and saying that you will be banned from emailing cPanel if you do email them about it is also irresponsible and far from customer service acceptable standards, at least where I come from.

Thank you.