Pending Publication [CPANEL-18704] cPanel contact address is stored in the home directory

[abnet]

1. Why is there a /home/user/.contactemail file?
   
   
2. If I, or some script change the email address directly in that file, why does Contact Information page still show the "right/orig" email address?
   
   
3. If the page shows one email address, and the file has a different email address, who gets the email notifications for the 11 email options on the page? The email address in the file, or the email address on the Contact Information page?
   
   
4. Do you not see this file as a flaw? Or rather a security risk? Considering scripts seem to have access to it by default, I find this file rather mind boggling.
   
   
5. If user follows common practice of moving the account to another server, what happens with the above facts? It would be amazing to learn that after move, if user does not hit the "Contact Information" page in cpanel account, that the email address in the file stays there reporting notifications and enables the recipient to do a password reset.

I eagerly await to know.

 

[cPanelMichael]

Hello @abnet,

1. The /home/$username/.contactemail file stores the cPanel account's contact email address. This is the email address that's configured as part of cPanel >> Home >> Preferences >> Contact Information. The supported method of editing this file through the command line is via the CustInfo::savecontactinfo cPanel API 2 function. Direct edits to this file are unsupported and can prevent the cPanel UI from displaying the correct email address. In such cases, the email address in /home/$username/.contactemail is what's actually used for notifications, whereas the email address in the cPanel UI comes from the /home/$username/.cpanel/contactinfo file. As far as account transfers, moving the account to a new server should result in an update to /home/$username/.cpanel/contactinfo so that the UI matches the address in the file.

2. We're currently exploring changes to address the security concerns associated with the storage of this file in the account's home directory. The case number is CPANEL-18704. I don't have a specific time frame to offer on when any changes from this case will make their way into cPanel & WHM, but I've linked this thread to the case and will provide more information on the case status as it becomes available.

Thank you.

 

[abnet]

Ok, well thank you for the clarity. Even though the clarity does reveal more flaw, glad to hear a case is open to remedy. What does cpanel recommend for whm users to prevent this flaw from being abused until a solution is live?

What I've done is:

Home »Server Configuration »Tweak Settings

Search for "reset"

Set these to OFF:

• Reset Password for cPanel accounts?
• Reset Password for Subaccounts?

So that if a bad actor manages to change the contact email, they cannot change the password by email. Is this A solution? The ONLY solution?

I would also recommend that cpanel implement something like this by default:

Open_basedir change:

SOLVED - Adding open_basedir for multiple users

ADD: php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

TO: system_pool_defaults.yaml
/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

 

[cPanelMichael]

Hello @abnet,

You can perform one of the following steps to mitigate the issue until a solution is published:

1. Turn off the following options under the System tab in WHM >> Tweak Settings:

Reset Password for cPanel accounts
Reset Password for Subaccounts

2. Enable two-factor authentication for cPanel accounts. With two-factor authentication required, the cPanel account's password can be reset if the options noted in the previous workaround are enabled. However, authentication into cPanel will fail if the attacker doesn't know the 2FA code.

See: Two-Factor Authentication for cPanel - Version 84 Documentation - cPanel Documentation

Thank you.

 

[Remitur]

I found a hacked site, in which the legit email address in .contactemail was substituted with the cracker's email (so it happened that the user restored the site three times, and every time the site was hacked again in a very short time...)

I would like to check if any other site on my server is using the same email address in .contactemail (or an email address using the same domain @yopmail[.]com) ; any idea on the right grep syntax to do such a check?!

 

[GOT]

You can use this command:

find /home -name ".contactemail" -exec grep "[email protected]" {} /dev/null \;