SOLVED EasyApache 4 security question

vacancy

Well-Known Member
Sep 20, 2012
553
219
93
Turkey
cPanel Access Level
Root Administrator
Hello there

I have discovered a security problem with EasyApache 4.

Easyapache 4 + mod_event + suphp

You can switch to another user's account without symlinking with the file manager type shell files, the files in the public_html folder are visible, the files can be downloaded. This is insecure.

Easyapache 3 + mod_prefork + suphp

In this configuration, you can not switch to other accounts without symlink, the files are not displayed. So secure.

What is the problem with Easyapache 4?

EDİT: This problem is happening in the new cPanel installation with the default profile installed.
EDİT2: Convert it to EasyApache 3 and then after convert it back to EasyApache 4, the problem is solved.

What's going on?
 
Last edited:

vacancy

Well-Known Member
Sep 20, 2012
553
219
93
Turkey
cPanel Access Level
Root Administrator
The problem was resolved after the ticketing.

The FileProtect module in Easyapache 4 is not activated by default.

EasyPache 3 also comes with the FileProtect module active. When you migrate from EasyApache 3 to EasyApache 4, the profile settings are transferred so FileProtect is automatically activated. But when you install clean, fileprotect is closed. The command must be run through ssh to open it fileprotect. ( /scripts/enablefileprotect )
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello,

I'm happy to see you were able to address the issue. Thank you for updating us with the outcome.

Note that in cPanel version 62, "Enable FileProtect with Apache" is now a setting configurable in "WHM >> Tweak Settings" under the "Security" tab, and it's enabled by default:

62 Release Notes - Documentation - cPanel Documentation

Thanks!