Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED EasyApache 4 security question

Discussion in 'EasyApache' started by vacancy, Dec 24, 2016.

Tags:
  1. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    221
    Likes Received:
    28
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Hello there

    I have discovered a security problem with EasyApache 4.

    Easyapache 4 + mod_event + suphp

    You can switch to another user's account without symlinking with the file manager type shell files, the files in the public_html folder are visible, the files can be downloaded. This is insecure.

    Easyapache 3 + mod_prefork + suphp

    In this configuration, you can not switch to other accounts without symlink, the files are not displayed. So secure.

    What is the problem with Easyapache 4?

    EDİT: This problem is happening in the new cPanel installation with the default profile installed.
    EDİT2: Convert it to EasyApache 3 and then after convert it back to EasyApache 4, the problem is solved.

    What's going on?
     
    #1 vacancy, Dec 24, 2016
    Last edited: Dec 25, 2016
  2. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    221
    Likes Received:
    28
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    The problem was resolved after the ticketing.

    The FileProtect module in Easyapache 4 is not activated by default.

    EasyPache 3 also comes with the FileProtect module active. When you migrate from EasyApache 3 to EasyApache 4, the profile settings are transferred so FileProtect is automatically activated. But when you install clean, fileprotect is closed. The command must be run through ssh to open it fileprotect. ( /scripts/enablefileprotect )
     
    #2 vacancy, Dec 26, 2016
    Last edited: Dec 26, 2016
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I'm happy to see you were able to address the issue. Thank you for updating us with the outcome.

    Note that in cPanel version 62, "Enable FileProtect with Apache" is now a setting configurable in "WHM >> Tweak Settings" under the "Security" tab, and it's enabled by default:

    62 Release Notes - Documentation - cPanel Documentation

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, Jan 4, 2017
(You must log in or sign up to post here.)
Loading...
Similar Threads - EasyApache security question
  1. cPanelBenny

    EasyApache 4 2018-12-11 Security Release

    cPanelBenny, Dec 11, 2018 at 2:30 PM, in forum: cPanel Announcements
    Replies:
    0
    Views:
    138
    cPanelBenny
    Dec 11, 2018 at 2:30 PM
  2. Trane Francks

    EasyApache 3 security release for PHP 5.6.31?

    Trane Francks, Jul 11, 2017, in forum: EasyApache
    Replies:
    9
    Views:
    817
    cPanelMichael
    Jul 13, 2017
  3. mariusfv

    Easyapache 4 + Modsecurity + Mod_ruid2 errors

    mariusfv, Feb 8, 2017, in forum: EasyApache
    Replies:
    10
    Views:
    2,102
    cPanelMichael
    Sep 5, 2017
  4. bejbi

    release of PHP 7.3 in easyapache ?

    bejbi, Dec 8, 2018, in forum: EasyApache
    Replies:
    3
    Views:
    404
    LucasRolff
    Dec 13, 2018 at 6:22 AM
  5. Kanyarut R.

    EasyApache 4 Update Error

    Kanyarut R., Dec 7, 2018, in forum: EasyApache
    Replies:
    1
    Views:
    192
    cPanelLauren
    Dec 10, 2018 at 1:13 PM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice