The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AVOID to provide cpanel demo !!!

Discussion in 'General Discussion' started by Radio_Head, Feb 17, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I don't know if the problem still exists on cpanel 6.x , however if you are provinding a cpanel 5.x demo remove it asap !

    If you have a cpanel demo you are at serious risk .

    Of couse if you have a dedicated only for cpanel demo
    you should not have great problems ;)
     
  2. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    And what is the problem with it??
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:595aeaf353][i:595aeaf353]Originally posted by awsol[/i:595aeaf353]

    And what is the problem with it??[/quote:595aeaf353]

    tons of problems !!!
     
  4. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    Well list them already. They can't be fixed if nobody knows what they are.
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    possiblity to create ftp accounts ... (also if apparently denied from cpanel an hacker is able to create them)
    possibility to install frontpage extensions ... (also if apparently denied from cpanel an hacker is able to install them)
    rootkit installation problems ...
    mysql problems ...

    avoid to turn it on if you want stay more safe.

    (also the cause of the problem described by Dgbaker http://forums.cpanel.net/read.php?TID=7421 was 99% caused by Cpanel Demo)
     
  6. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    Why would frontpage extensions be a problem?

    Let me explain how I do it. I just terminate the account and recreate it every few days. This wipes out anything somebody does and starts fresh. I've had people upload porn and everything. It's part of having a demo so they can see how it works. Static page are garbage because the user don't get the exact feel.
     
  7. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:1129ee2ec6][i:1129ee2ec6]Originally posted by awsol[/i:1129ee2ec6]

    Why would frontpage extensions be a problem?

    Let me explain how I do it. I just terminate the account and recreate it every few days. This wipes out anything somebody does and starts fresh. I've had people upload porn and everything. It's part of having a demo so they can see how it works. Static page are garbage because the user don't get the exact feel.[/quote:1129ee2ec6]

    frontpage probably not , but ftp yes . An hacker that
    gain ftp potentially if has php and perl can go EVERYwhere on the server such as with the shell .

    But is not only that the serious problem
    Also the problem described by Dgbaker http://forums.cpanel.net/read.php?TID=7421 was 99% caused by a vulnerability on Cpanel Demo .
     
  8. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:8f1c88aa77][i:8f1c88aa77]Originally posted by Radio_Head[/i:8f1c88aa77]

    [quote:8f1c88aa77][i:8f1c88aa77]Originally posted by awsol[/i:8f1c88aa77]

    Why would frontpage extensions be a problem?

    Let me explain how I do it. I just terminate the account and recreate it every few days. This wipes out anything somebody does and starts fresh. I've had people upload porn and everything. It's part of having a demo so they can see how it works. Static page are garbage because the user don't get the exact feel.[/quote:8f1c88aa77]

    frontpage probably not , but ftp yes !. An hacker that
    gain ftp potentially if has php and perl can go EVERYwhere on the server such as with the shell .

    But is not only that the serious problem
    Also the problem described by Dgbaker http://forums.cpanel.net/read.php?TID=7421 was 99% caused by a vulnerability on Cpanel Demo .

    [/quote:8f1c88aa77]

    perhaps the solution is to create a cpanel demo over an account without cgi/php , it should be more safe , but I don't want try it on my skin again.
    I stopped definitely to provide a cpanel demo .
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Steve - You mentioned people upload stuff like porn etc... and you remove and readd the account every few days.

    Well during those few days, what stops someone from uploading a malicious script(s) that create backdoors or install trojans?

    Even removing the account will not clear these if the damage has been done. There are more than a few of us who have got nailed by someone being able to do things in the demo client.

    Having a demo is nice, but if it opens up any sort of security hole no matter how big or small, is it really worth the risk to your server and mostly your clients if the server truly gets compromised?

    For demo's just point to cpanel's own demo on their site. And show screen shots of your different themes.
     
  10. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:3145571c83][i:3145571c83]Originally posted by awsol[/i:3145571c83]

    Why would frontpage extensions be a problem?

    Let me explain how I do it. I just terminate the account and recreate it every few days. This wipes out anything somebody does and starts fresh. I've had people upload porn and everything. It's part of having a demo so they can see how it works. Static page are garbage because the user don't get the exact feel.[/quote:3145571c83]

    awsol , i tried now your cpanel demo and I was able to get
    your /etc/passwd on nix in 1 minute. If you don't believe me
    I will send you a pm with your /etc/passwd .
    It's only an example of how is vulnerable Cpanel Demo.
    Consider that I am not abssolutely an hacker or a guru however using the cpanel demo I was able to get your
    /etc/passwd or to browse your accounts in1 minute .
    What could be do an hacker ?! A lot of things ...very dangerous .
     
  11. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    /etc/passwd is meant to be read. That's where everything runs from as far as users and passwords. Therefore all users need access to it. Yes you can see it but try decrypting it. Unless you have a super computer it won't happen.
     
  12. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    as you believe awsol . It's only a suggestion , you decide .

    etc/passwd is an example ; however with your /etc/passwd I could browse all your accounts getting clean mysql password for example or cacthing php code from your client's sites , however I am not an hacker ;) , I have no reason to do that . But every visitor with a little experience could do that .

    And as dgbaker explained , there are other exploits most dangerous .
     
  13. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Bump;)
     
  14. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    bump ...bump ...
     
Loading...

Share This Page