The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

downloadable files under /usr/local/cpanel/

Discussion in 'General Discussion' started by phparion, Aug 15, 2008.

  1. phparion

    phparion Registered

    Joined:
    Aug 15, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    I have 3 VPS from a good hosting company. I found in the logs today that somebody hit the following URLs

    www.mydomain.com/java-sys/SSHTerm/files/gsissh/filedrop.jar

    and all other files in "gsissh" folder. When I digged the problem I found that this directory is under /usr/local/cpanel/ directory.

    I was surprised that why somebody is able to visit this with my domain reference directly when it is not in public_html directory which is mentioned in apache httpd.conf file for the virtualHost tag of my domain.

    Same is happening for all three VPS. I checked it for another friend VPS which is on another hosting company and uses cpanel. The same links work for that VPS too.

    I searched a lot on this and found that this is because cpanel has a web-based SSH which uses this location. I tried to chmod 000 this SSHTerm directory but still the links work.

    I think this can lead to a serious security problem because people can easily access files outside public-directory (public_html)

    It is the matter of just finding a good XSS attack to copy,remove or move files across server.

    Can anybody shed some light on this that is this seriously dangerous and is cpanel aware of this?

    Thank you and curiously waiting for your replies.
     
  2. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Hello, the files you see in /usr/local/cpanel/java-sys/SSHTerm/files/gsissh are library files used with SSHTerm. These files are not writable (644) and are readily available for download with the SSHTerm code from their site. There's no security risk involved with having the SSHTerm code available for download. You'll notice upon inspection that the jar files are compiled so downloading them would do no good to those trying to find security holes in the SSHTerm application.

    As far as access to the application goes, this does no good for them. The application is download through Apache (not Tomcat) and the Java code is not going to be executed. Also, even if they somehow had access to the application, they'd still need to login credentials for an account on the server to get in. In that case, they might as well just ssh into your box using PuTTy or ssh from the command line which would be a much easier way to get in.
     
  3. phparion

    phparion Registered

    Joined:
    Aug 15, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for your reply. I chmod 000 the SSHTerm/ and tried the download link and it worked fine, still. On asking hosting company support team they said cpanel does not try to check permissions on files and continue with its own mechanism, even if I delete this directory or chmod 000 next time cpanel is updated, it will overwrite my changes during check-sum.

    I have already taken few steps by changing default ssh port and installing CSF firewall on server to get rid of brute-forcing attacks. My confusion about this security, possible, problem is that in first hand, why do you need to execute files above public_html and secondly XSS(Cross Site Scripting) might be able to exploit the download link by executing a command, or copying a script or moving files etc.

    Though I am not sure 664 can be by-passed, BUT if the hosting support team is right that cpanel uses its own logic without taking care of permissions then there could be a possible XSS attack.
     
  4. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Did you chmod -r or just chmod? You'll need to make sure the files themselves don't have access permissions. This is still unnecessary. There's no security risk here. Having these files available for download is the same security risk that SSHTerm has on its website where the same files are available for download.


    These files are used by all accounts on the system for SSHTerm. It would be a waste of space to copy these files for every user, therefore, a central location is used for all users. 644 allows for group and world to read the files, not write to them so there's no issue of outside users being able to edit these files. 644 is what is also used for html documents on your site so there's no difference in risk here between index.html on your site and the SSHTerm jar or license file.

    I don't understand how an XSS attack would take place, can you explain your thought here? An XSS attack requires for a script or application to be running and for you to then inject code into a URL that causes unwanted behavior. There's no code executing here. Apache cannot execute .jar files, these are java files that can only be executed with the java runtime. It's impossible to XSS a file, XSS relates to scripts and applications.
     
Loading...

Share This Page