The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

dumb and extremely insecure.

Discussion in 'General Discussion' started by potentialbuyer, Mar 11, 2004.

  1. I heard a lot about cPanel. I decided to try it out before buying and installing it on my servers. So I registered with a host as a reseller. This in order to test for at least 1 month, carefully, no pressure, etc...

    I just started yesterday, so this is pretty much all I can say for now. cPanels implementacion of webmail is horrible and insecure by definition.

    1) Why can´t you select one of the three webmail systems and use that as default? Whats the point of having to select a webmail app each and every time one logs in?
    2) Whats the deal with the htacess security first, and then the html one? Why can´t it work with simple HTML security as these webmail clients do by default.
    3)Does the fact that once you go through the first level of security (htaccess) your login/password are prefilled in the HTML page mean that this is a kludge and that the cPanel developers can´t get rid of the firts level of security?
    4) Since there is no way to "logout" from htaccess (other than closing the browser) and the html login/pass are prefilled on all instances of the browsers session, this is exrtemely INSECURE. You select logout from the webmail interface and leave your computer.....if you forgot to close that window and all windows from the same session, then you can just retype the URL and you can get right back in to the account...after all, user/pass are already prefilled.
    Now lets say we teach all users to ALWAYS close ALL browser windows....that wont work either. Many dedicated public terminals have a browser window as a shell. You cant open additional windows, nor can you close the main one. In this case...the browser is always in the main session. No way to close it. Not a securty risk. A definite security problem.

    are there any plans to change these things with webmail in the near future? If yes, any idea when so that I can give cPanel another try. As is, cPanel is useless to me so I will have to keep my current solution (I run 14 machines and create hosts manually....it sucks.....but its secure).

    thanks,

    almost a buyer

    cPanel.net Support Ticket Number: a bug or just poor planning?
     
    #1 potentialbuyer, Mar 11, 2004
    Last edited by a moderator: Mar 12, 2004
  2. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    I see your points, but cpanel is not a security system, it is a control panel. Think about it.
     
  3. It is a control panel with many features...one of them is the webmail....which is made insecure by the way cpanel runs it (the three webmail apps are not inherently insecure...they are made insecure by cPanel´s implementation).
    So I thought about it (thanks for suggesting that) and came to the conclusion that even though cPanel is not a security system it should make sure that at least the features it provides are secure (Microsoft Internet Information Services IIS is not a security system...its a web server....yet a security bug is found in it and all hell breaks loose....same with any application....if its not secure its a problem)
     
    #3 potentialbuyer, Mar 11, 2004
    Last edited by a moderator: Mar 11, 2004
  4. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    When you buy a car you don't know how to drive it right away, if you don't like the webmail remove it and use your own
     
  5. I could do that, but then I would have to that for every host that gets created....which is more or less what I do now....and is why I want to change. (just to clarify that, I mean creating with WHM)
     
  6. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    edit the account setup so it doesn't make the webmail dir :)
     
  7. but I do like the fact that it gets created....it simplifies reselling....click click click and a new host is created with all the features one wants (including webmail). I just think that the way its implemented suggests...its a bug or its bad planning. It IS a security problem. It has to be fixed...wouldn´t you agree?
     
  8. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    I never use it..... =\

    I had plans to dev my own in house control panel, like ensim but more hard core :)
     
  9. if you can develop your own...then you are at a different level than I am....I am a lowly user who has to depend on programs working right cause I can´t develop my own.
     
  10. beebware

    beebware Active Member

    Joined:
    Aug 2, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Install a copy of SquirrelMail et al into the cpanel-skel3/public_html/mail folder for your reseller account (or under /root/ for root user) with the default IMAP server set to just "127.0.0.1" and then when you create new accounts, a copy of SquirrelMail is already installed in to www.example.com/mail and the customer just has to log in with the username and password.

    Of course, if a bug is then detected in Squirrelmail et al, you will have to retrospectively apply the bug fixes to all installed versions...
     
  11. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    You can per domain. You have to change a file at the shell, but it's very possible. Search the forums, I know there was a howto, if not I can repost, however it involved putting skipneomail=1 to disable neomail, etc...

    You can only do it "per user" (ie, account, not domain) but it can be done.
     
  12. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    If all you are going to do is moan about it not working and stuff, install it on YOUR site. There. Done.

    If you need to upgrade, upgrade it, if you don't, all the same.

    or give users a subdomain, mail.theirdomain.com or something and point it at one folder
     
  13. thaphantom..."there is no way to win with these people so dont bother trying"
    would "these" people be people who would expect software to work correctly and securely? If yes, you are right, don't bother trying to convince me to accept things that work incorrectly. The way this is designed is dumb (select which client to use every single time??????) and its insecure (if its not, feel free to show me what I did wrong and I will apologize for speaking without fully understanding the product).
    I am so sure that this is wrong that I am pretty sure that it will be fixed in future versions, thats why on my initial post I asked when it might be fixed so I can give it another try. right now I can see end users not liking having to click through 4 windows to get to their mail or the fact that its insecure....maybe in the future it will be different.
     
  14. ddeans

    ddeans Well-Known Member

    Joined:
    Feb 13, 2004
    Messages:
    296
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Maryland
    Agreed!

    potentialbuyer, thephantom made a relatively good point. you have done nothing but complained about the software. obvioulsy they are doing something right to have as many users as they do.

    if you don't like it Uninstall it. Get different software and post your complaints in their forums.

    If you don't want to have to choose which client to use then setup a subdomain ex: webmail.yourdomain.com and forward it to yourdomain.com:2095/neomail/neomail.pl or whatever.
     
  15. ddeans, if you read my post you will notice I didnt install it. I actually registered at a site that uses it in order to see what the reseller experience will be...not the install experience.
    Now, as far as having done nothing but complain...please be aware that I just made this one post complaining about one specific feature in this panel. Webmail. Also note I said that I was waiting for these bugs to be fixed and that if someone could tell me when they would be fixed I would try the software again. Now, once again...if you dont think this is a security bug, you obviously dont care much about your customers as this is what you are offering to them. granted there is a workaround for the selection of the client, its a kludge, not a fix. That is the least of my worries my main point is the lack of security by using htaccess and then pre-filling user/pass.
    Finally, if you come to this forum to just read about praises about the software, I apologize for ruining your day. You sound a little agitated in you post. It really wasn't my intention to get you all worked up. A forum is used to praise, complain, chat, etc....this post happened to be a complaint which I hope the developers read and then based on this fix the security issue.
    Once again, I repeat. ITS A SECURITY PROBLEM. Do you warn your users about it this issue at the site you host? if you dont you are not being a very good host to them.
     
  16. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    You will never tell them diffrent :P

    Sometimes its best to shut up even if it is a security problem, cause most of the time you will just get slack about it, and then 3 months later some idiot will come and say "Hey! I found this flaw!" and be given all the credit, I hate it, it sucks :(

    but thats life
     
  17. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    potentialbuyer, I'm not sure why no one has agreed with you yet -- but I will. :D

    I too, firmly believe it is a 'bug' that should be fixed and the sooner the better. I also agree that any Control Panel "should provide" various features and that it is the responsiblty of the Control Panel creator(s) to either make sure the features are secure and/or provide documentation on the security aspects of said features.

    Although one can turn off, providing any of the 3 Web mail applications, it would defeat the purpose -- they are provided as a valued-added feature and have come to be expected by Clients. I have no idea why the Web applications work the way they do -- login & security that is -- but to learn about the security aspect/problem through a Forum is not the way to find out. And who has time to test/verify/figure out every feature of WHM/Cpanel? That's what documentation is for and it's a fact of life that very few Admins can take the time to essentially create a Manual; due to time constraints and needing a somewhat, higher level of programming which is not related to running a Server.

    Hopefully, correcting the security 'bug' will get added at some point, on the DarkOrb to-do list, but until then we have two choices: turn them off or make sure Clients are educated to the security aspects. I've taken the second route and had to pass on that usage of any of the 3 Web Mail applications is the responsibility of the Client.
     
  18. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    You aren't forced to use htaccess logins, you can always login via /login/ with a http post.
     
  19. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Still a bit of kludge, Nick.

    Using
    http://domain.com:2095/ or http://domain.com/webmail/

    allows one to click 'cancel' and then use the Web page login, but again, it is something all Clients would have to be educated on. Is this mentioned in any Manual BTW?

    If it could be setup where one could directly access the Web page login and not have to worry about -- using or not using -- htaccess, now that would be a plus.


    Also, a quick check just verified that IE 6 has a problem with the above method -- whereas Mozillia does not.
     
    #19 Website Rob, Mar 12, 2004
    Last edited: Mar 12, 2004
  20. ddeans

    ddeans Well-Known Member

    Joined:
    Feb 13, 2004
    Messages:
    296
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Maryland
    Instead of making a big complaint about it I just tured it off. Simple as that. Done.

    I come to these forums because people post issues they are having or great how-to's. If you read this whole thread people are telling you to diable it if you do't like it, or route it to one program. Is that to hard? Yeah it may be insecure, but if it's a feature you don't like do as nybble said:

     
Loading...

Share This Page