Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Exploit : Fetch other users' email addresses on older cPanel Builds

Discussion in 'Security' started by acenetryan, Jun 22, 2011.

  1. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    168
    This problem appears to stem from incorrect permissions on the .cpanel/ folder in older cPanel builds. In a past version, cPanel adjusted how .cpanel/ is created and what permissions it gets. At some point in the past, this folder was created with 755 permissions. It is now created with 700. cPanel staff was unable to find a changelog entry so I can't give a specific date on when this change occurred.

    If you are running a server which has been live for a few years, you will want to ensure your permissions on .cpanel/ are set to 700 for all accounts on the server. This should do it for you:

    Code:
    chmod 700 /home/*/.cpanel
    
    If older users have 755 permissions on the .cpanel/ folder, it is possible for any user on the server to fetch those users' .cpanel/email_accounts.yaml file and get a list of all valid email addresses.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,517
    Likes Received:
    425
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please report this to cPanel via the bugs link at top of page. Or click here.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    168
    I've already created a ticket on this and informed cPanel staff. I've PM'd you the ticket ID. I've filed a bug report as well.
     
    #3 acenetryan, Jun 22, 2011
    Last edited: Jun 22, 2011
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,517
    Likes Received:
    425
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Great, thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    263
    Likes Received:
    4
    Trophy Points:
    68
    cPanel Access Level:
    DataCenter Provider
    Thank you for the report , i have found numerous accounts having the folder permission set to 755.

    made & used the following script to set it to 700:

    Code:
    #!/bin/bash
    ls /var/cpanel/users | while read a; do
    if [ -d "/home/$a/.cpanel" ] ;
    then
      echo ".cpanel directory found on user $a"
      echo "Setting permission for /home/$a/.cpanel to 700"
      /bin/chmod 700 "/home/$a/.cpanel"
    #remove following echo line if u want faster processing
      echo -e "\ndone\n"; sleep 2
    fi
    done
    echo -e "\nAll folders permission has been set. Script finished"
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    As I mentioned in PM to rking, I've moved this thread to the security section of the forum due to the topic.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice