nybble

Well-Known Member
Jan 26, 2004
222
0
166
Ok well, there are a few things that worry me...

One is that everyone on the server can view your httpd.conf file
Second is that everyone can see everyone else on the server & their information, such as username, domain, subdomains etc...

Are these going to get fixed or what?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
I believe that both have been raised in the past, but due to the current design, nothing has been done. So, they know about the problems, but I've no idea if they're looking to overcome them.
 
C

cPanelBilly

Guest
nybble said:
Ok well, there are a few things that worry me...

One is that everyone on the server can view your httpd.conf file
Second is that everyone can see everyone else on the server & their information, such as username, domain, subdomains etc...

Are these going to get fixed or what?
These are not security bugs, they are part of a shared hosting system and there is nothing that can be done currently.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
I'd have to disagree with you Billy. We've shown previously that this could be fixed - it's how cPanel works where the problem is. It is quite possible to protect httpd.conf (this was shown to be possible, but some functionality in cPanel functions break, the web server doesn't) and the other problem really is a design issue.
 

StevenC

Well-Known Member
Jan 1, 2004
252
0
166
chirpy said:
I'd have to disagree with you Billy. We've shown previously that this could be fixed - it's how cPanel works where the problem is. It is quite possible to protect httpd.conf (this was shown to be possible, but some functionality in cPanel functions break, the web server doesn't) and the other problem really is a design issue.
sorry billy but i must side with chirpy on this one.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
chirpy said:
I'd have to disagree with you Billy. We've shown previously that this could be fixed - it's how cPanel works where the problem is. It is quite possible to protect httpd.conf (this was shown to be possible, but some functionality in cPanel functions break, the web server doesn't) and the other problem really is a design issue.
What would you gain? What about /etc/userdomains or /etc/localdomains ?
 

eos1

Well-Known Member
Mar 11, 2003
175
0
166
cpanelnick said:
What would you gain?
our privacy.

It's just like showing your address book to all, isn't it.
 
Last edited:

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,531
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
I've been playing with rights and a little perl script for testing and found that the following seems to work, but obviously would require a lot more testing to be sure.

chmod 640 httpd.conf
chown root:nobody httpd.conf

Now when trying to use something like
open(MYINPUTFILE, "httpd.conf");

It results in the following;

content-type: text/html
readline() on closed filehandle MYINPUTFILE at ./test.cgi line 4.

Where as before it would list out httpd.conf

Anyone up for more testing of this???
 

eos1

Well-Known Member
Mar 11, 2003
175
0
166
cpanelnick said:
What would you gain? What about /etc/userdomains or /etc/localdomains ?
I think you are still in Vegas, and there are so many walking apache dictionaries.
I'm sure you got something for it, and not Gambling...