[Case 141673] htpasswd in public_html after easyapache 3.26.10

kjg

Well-Known Member
Mar 2, 2004
158
3
168
Just realised that there has been a directory named .htpasswd created in all accounts public_html directory after running easyapache update a couple of days ago. (easyapache 3.26.10)

Was this created by that update? I so, why?

I really do not understand why we should have htpasswd in public_html. For me that is a big NO NO.

htpasswd should be outside the public_html directory and is normally created in the accounts root folder when a password is set in cpanel "password protect directory".

Any info regarding this htpasswd in public_html would be much appreciated.

// kjg
 

kjg

Well-Known Member
Mar 2, 2004
158
3
168
No one else having this problem/situation?

Checked on 5 of our servers and all accounts on all servers had a .htpasswd folder created in public_html after last easyapache

Would appreciate if someone could confirm that they also had this folder created automatically for all accounts.

// kjg
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Hello :)

Feel free to open a support ticket using the link in my signature so we can take a closer look and verify the purpose of this directory. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

kjg

Well-Known Member
Mar 2, 2004
158
3
168
Hi Michael
After some work from your excellent support staff, they identified the problem and I got the following reply"

"I have now confirmed this on a new test machine when creating an account. After I run EasyApache, the .htpasswds folder is placed within that new user's public_html folder. I've opened case 141673 about this issue.
...
We will hopefully have a response on the case by next week"

// kjg
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Yes, internal case number 141673 is open to address the issue where a folder is being created within /home/$USER/public_html for .htpasswds (Apache's Password Protect Directories) rather than at the /home/$USER level. You can monitor our change log to see when a resolution for this case has been implemented:

11.46 Change Log

Thank you.
 

dxer

Well-Known Member
Sep 9, 2002
306
0
166
Europe
I can confirm the same problem. It is now about month since this you wrote:
"We will hopefully have a response on the case by next week"

Any update on this? Change log doesn't show anything.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
The resolution is currently scheduled for cPanel version 11.48. Note that the bug here is the directory creation. The directories are not utilized, so it's not a security concern.

Thank you.
 

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
The resolution is currently scheduled for cPanel version 11.48. Note that the bug here is the directory creation. The directories are not utilized, so it's not a security concern.

Thank you.
Michael I have a couple of quick questions in reference to this...

1) Is there an ETA for 11.48 being pushed to Release?
2) Once we are running 11.48 is it safe to assume that deleting the rouge htpasswd will be permanent so that it will not be recreated as it is if you delete it now (and that doing so will cause no unintended consequences)?
3) What's the airspeed velocity of an unladen swallow?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,216
363
Right, in 11.48, once you delete the directory it should not come back, and it's acceptable to delete it. cPanel version 11.48 is currently available on the "Edge" and "Current" build tiers. We don't typically provide time frame estimates on when new versions will reach certain tiers. More information about our release process is available at:

cPanel & WHM Product Versions and the Release Process

Thank you.
 

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
Thanks Michael, but you failed to address the third question! (None shall pass) :)