There exists an easy method to read any file with permissions 644 from a user's home directory by creating a symbolic link to the file. We have confirmed this on a server running php as mod_fcgid. All user homedirs and files are owned by the appropriate user, and all php scripts are executed under this user. The same breach can be accomplished on a mod_php server as well. This is important because any user on a cpanel server can easily read other user config files and acquire database passwords and other sensitive data. One possible fix is to make file permissions in each user homedir 600. A better way would be to add Code: <Directory "/"> Options All Options -FollowSymLinks Options +SymLinksIfOwnerMatch AllowOverride All </Directory> to /usr/local/apache/conf/includes/pre_virtualhost_2.conf How to test if your server is vulnerable Lets have two accounts: attack account and victim account. 1. In attack account create directory public_html/fakesymlink with appropriate permissions 2. In attack account save /http://seo.r1servers.com/symlink.txt as public_html/symlink.php 3. find out what other users are on server by reading /etc/passwd (can be done by opening file from any php script) and choose victim account 4. In symlink.php enter path to victim index.php: /home/victim-account/public_html/index.php 5. Now read the file in apache.