cPanel bugs - are they going to be fixed?

[nybble]

Ok well, there are a few things that worry me...

One is that everyone on the server can view your httpd.conf file
Second is that everyone can see everyone else on the server & their information, such as username, domain, subdomains etc...

Are these going to get fixed or what?

 

[damainman]

1. Did you submit the bugs in Bugzilla?
2. If you did, post the bug ID's here: http://forums.cpanel.net/showthread.php?t=31595&page=3

 

[nybble]

I didn't but I guess I should...

 

[chirpy]

I believe that both have been raised in the past, but due to the current design, nothing has been done. So, they know about the problems, but I've no idea if they're looking to overcome them.

 

[cPanelBilly]

Ok well, there are a few things that worry me...

One is that everyone on the server can view your httpd.conf file
Second is that everyone can see everyone else on the server & their information, such as username, domain, subdomains etc...

Are these going to get fixed or what?

These are not security bugs, they are part of a shared hosting system and there is nothing that can be done currently.

 

[chirpy]

I'd have to disagree with you Billy. We've shown previously that this could be fixed - it's how cPanel works where the problem is. It is quite possible to protect httpd.conf (this was shown to be possible, but some functionality in cPanel functions break, the web server doesn't) and the other problem really is a design issue.

 

[StevenC]

I'd have to disagree with you Billy. We've shown previously that this could be fixed - it's how cPanel works where the problem is. It is quite possible to protect httpd.conf (this was shown to be possible, but some functionality in cPanel functions break, the web server doesn't) and the other problem really is a design issue.

sorry billy but i must side with chirpy on this one.

 

[cPanelNick]

I'd have to disagree with you Billy. We've shown previously that this could be fixed - it's how cPanel works where the problem is. It is quite possible to protect httpd.conf (this was shown to be possible, but some functionality in cPanel functions break, the web server doesn't) and the other problem really is a design issue.

What would you gain? What about /etc/userdomains or /etc/localdomains ?

 

[eos1]

What would you gain?

our privacy.

It's just like showing your address book to all, isn't it.

 

[dgbaker]

I've been playing with rights and a little perl script for testing and found that the following seems to work, but obviously would require a lot more testing to be sure.

chmod 640 httpd.conf
chown root:nobody httpd.conf

Now when trying to use something like
open(MYINPUTFILE, "httpd.conf");

It results in the following;

content-type: text/html
readline() on closed filehandle MYINPUTFILE at ./test.cgi line 4.

Where as before it would list out httpd.conf

Anyone up for more testing of this???

 

[chirpy]

Similar idea in this 7 page thread:
http://forums.cpanel.net/showthread.php?t=29718&page=5&pp=15

We did flog this one quite hard and seemed to conclude that Apache is happy, but not the cPanel code.

 

[eos1]

What would you gain? What about /etc/userdomains or /etc/localdomains ?

I think you are still in Vegas, and there are so many walking apache dictionaries.
I'm sure you got something for it, and not Gambling...

 

[dgbaker]

Similar idea in this 7 page thread:
http://forums.cpanel.net/showthread.php?t=29718&page=5&pp=15

We did flog this one quite hard and seemed to conclude that Apache is happy, but not the cPanel code.

Ah! Thanks, oh well....