The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HUGE SECURITY RISK! Demo Accounts!

Discussion in 'Security' started by ozzi4648, Dec 20, 2002.

  1. ozzi4648

    ozzi4648 Guest

    I mentioned this before in one of the other threads and i'll say it again. BEWARE! Of any account you create in WHM that you turn into a demo account.

    There is a huge security risk here. I mentioned awhile back that an account i created on my server called demo.primenet.cc, used to demo the account to would be clients, one day mysteriously dissappeared from my server. Now i know how it was done. Its simple. Anyone can ftp to my demo.primenet.cc account and not only access the account but also DELETE the entire directory structure. I tested it on my server today.

    I just dont understand something. When creating accounts thru WHM, amongst many other options, you can specify how many ftp accounts can be created under that account. Even if you say 0, WHM will create 2 by default!!!! Why is that? That means anyone can ftp to your accounts weather you have specified they get a ftp account or not!

    Dont beleive me, try it!

    Dgbaker, although i am not a malicious user i was able t ftp to your demo site and i could have deleted everthing.

    I would highly recommend that everyone disable their demo accounts if active. Its really a huge security risk!

    One possible way of avoiding this is to chown the entire demo account directory sturcture to root but this is not an alternative.
    I would have thought that when one specifies an account as demo that this is what happens anyway to prevent people for changing and modifying files and directories.
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    ozzi - thanks for the heads up on my server, and thank you for being a nice guy :).

    I've tested doing chown -R to root and ftp is still allowed BUT they cannot delete anything anymore, nor can they upload. I'm still doing some further tests.

    Thanks again!
     
  3. ozzi4648

    ozzi4648 Guest

    [quote:c25cff8695][i:c25cff8695]Originally posted by dgbaker[/i:c25cff8695]

    ozzi - thanks for the heads up on my server, and thank you for being a nice guy :).

    I've tested doing chown -R to root and ftp is still allowed BUT they cannot delete anything anymore, nor can they upload. I'm still doing some further tests.

    Thanks again! [/quote:c25cff8695]

    Your welcome. This could all be avoided if cPanel didnt create 2 default ftp account when you tell it not to. In other words we cannot control the number of ftp accounts a user has access to use. Cpanel should not be creating 2 by default. I realize that they create the accounts for anon ftp and what nots but if the options are set off the number of ftp accounts should be *ZERO!
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    That I agree with. Also there seems to be no easy way to disable the ftp acocunts either.
     
  5. ozzi4648

    ozzi4648 Guest

    [quote:bc3793ff93][i:bc3793ff93]Originally posted by dgbaker[/i:bc3793ff93]

    That I agree with. Also there seems to be no easy way to disable the ftp acocunts either.[/quote:bc3793ff93]

    Ok i found a way to completely remove ftp access for your demo account.

    Go to /etc/proftpd/

    Make a backup of the passwd.vhosts file

    cp passwd.vhosts passwd.vhosts.backup

    Edit the file and remove the line the pertains to your demo account.

    Thats it! Nobody can ftp to your demo account!
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Unfortunatly I'm using Pure-FTP :(
     
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    ozzi, is it safe to presume that File Mgr. is also shutdown from FTP'ing?

    And is there any other concerns with running a demo account. I do believe it is a nice feature to have, but not if there are &any& security risks at all.
     
  8. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    [quote:523efb75b9][i:523efb75b9]Originally posted by ozzi4648[/i:523efb75b9]
    Ok i found a way to completely remove ftp access for your demo account.
    Go to /etc/proftpd/
    Make a backup of the passwd.vhosts file
    cp passwd.vhosts passwd.vhosts.backup
    Edit the file and remove the line the pertains to your demo account.
    Thats it! Nobody can ftp to your demo account![/quote:523efb75b9]

    Won't those files be overwritten by Cpanel on the next update? What about adding the user name to /etc/ftpusers? (I don't know if /etc/ftpusers get overwritten as well...)
     
  9. ozzi4648

    ozzi4648 Guest

    [quote:cf82f28dde][i:cf82f28dde]Originally posted by Juanra[/i:cf82f28dde]

    [quote:cf82f28dde][i:cf82f28dde]Originally posted by ozzi4648[/i:cf82f28dde]
    Ok i found a way to completely remove ftp access for your demo account.
    Go to /etc/proftpd/
    Make a backup of the passwd.vhosts file
    cp passwd.vhosts passwd.vhosts.backup
    Edit the file and remove the line the pertains to your demo account.
    Thats it! Nobody can ftp to your demo account![/quote:cf82f28dde]

    Won't those files be overwritten by Cpanel on the next update? What about adding the user name to /etc/ftpusers? (I don't know if /etc/ftpusers get overwritten as well...)[/quote:cf82f28dde]

    Yep, you are absolutely correct! Today it was overwritten and everthing was placed back in the passwd.vhosts.file. Now what? This is so annoying. Now people can ftp to my demo accout again! Added the demo account to ftpusers, lets see if it gets overwritten. Im hoping not. When Cpanel was installed on my server the ftpusers file was missing by default and evertime somebody logged in a error msg was written to message log. There were many cpanel updates after that and the file was never created after any updates which leads me to believe that it may in fact not be replaced otherwise it would have been created. I had to manually create the file at which time the error message went away.
     
  10. ozzi4648

    ozzi4648 Guest

    I'm happy to report that i addressed this issue with Cpanel and father christmas listened. As of E114 this issue has now been resolved. I have tested it and it work. Demo accounts now disable FTP. Yippie! 1 bug down 21 left to go.
     
  11. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    You fought a good battle!
     
Loading...

Share This Page