Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

In Progress [CPANEL-18704] cPanel contact address is stored in the home directory

Discussion in 'Security' started by abnet, Apr 8, 2019.

  1. abnet

    abnet Member

    Joined:
    Feb 27, 2011
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    51
    1. Why is there a /home/user/.contactemail file?

    2. If I, or some script change the email address directly in that file, why does Contact Information page still show the "right/orig" email address?

    3. If the page shows one email address, and the file has a different email address, who gets the email notifications for the 11 email options on the page? The email address in the file, or the email address on the Contact Information page?

    4. Do you not see this file as a flaw? Or rather a security risk? Considering scripts seem to have access to it by default, I find this file rather mind boggling.

    5. If user follows common practice of moving the account to another server, what happens with the above facts? It would be amazing to learn that after move, if user does not hit the "Contact Information" page in cpanel account, that the email address in the file stays there reporting notifications and enables the recipient to do a password reset.
    I eagerly await to know.
     
    #1 abnet, Apr 8, 2019
    Last edited: Apr 8, 2019
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @abnet,

    1. The /home/$username/.contactemail file stores the cPanel account's contact email address. This is the email address that's configured as part of cPanel >> Home >> Preferences >> Contact Information. The supported method of editing this file through the command line is via the CustInfo::savecontactinfo cPanel API 2 function. Direct edits to this file are unsupported and can prevent the cPanel UI from displaying the correct email address. In such cases, the email address in /home/$username/.contactemail is what's actually used for notifications, whereas the email address in the cPanel UI comes from the /home/$username/.cpanel/contactinfo file. As far as account transfers, moving the account to a new server should result in an update to /home/$username/.cpanel/contactinfo so that the UI matches the address in the file.

    2. We're currently exploring changes to address the security concerns associated with the storage of this file in the account's home directory. The case number is CPANEL-18704. I don't have a specific time frame to offer on when any changes from this case will make their way into cPanel & WHM, but I've linked this thread to the case and will provide more information on the case status as it becomes available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. abnet

    abnet Member

    Joined:
    Feb 27, 2011
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    51
    Ok, well thank you for the clarity. Even though the clarity does reveal more flaw, glad to hear a case is open to remedy. What does cpanel recommend for whm users to prevent this flaw from being abused until a solution is live?

    What I've done is:

    Home »Server Configuration »Tweak Settings

    Search for "reset"

    Set these to OFF:

    • Reset Password for cPanel accounts?
    • Reset Password for Subaccounts?

    So that if a bad actor manages to change the contact email, they cannot change the password by email. Is this A solution? The ONLY solution?

    I would also recommend that cpanel implement something like this by default:


    Open_basedir change:

    SOLVED - Adding open_basedir for multiple users

    ADD: php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

    TO: system_pool_defaults.yaml
    /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @abnet,

    You can perform one of the following steps to mitigate the issue until a solution is published:

    1. Turn off the following options under the System tab in WHM >> Tweak Settings:

    Reset Password for cPanel accounts
    Reset Password for Subaccounts


    2. Enable two-factor authentication for cPanel accounts. With two-factor authentication required, the cPanel account's password can be reset if the options noted in the previous workaround are enabled. However, authentication into cPanel will fail if the attacker doesn't know the 2FA code.

    See: Two-Factor Authentication for cPanel - Version 78 Documentation - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
    I found a hacked site, in which the legit email address in .contactemail was substituted with the cracker's email (so it happened that the user restored the site three times, and every time the site was hacked again in a very short time...)

    I would like to check if any other site on my server is using the same email address in .contactemail (or an email address using the same domain @yopmail[.]com) ; any idea on the right grep syntax to do such a check?!
     
  6. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,367
    Likes Received:
    151
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    You can use this command:

    find /home -name ".contactemail" -exec grep "email@domain.com" {} /dev/null \;
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice