HUGE SECURITY RISK! Demo Accounts!

O

ozzi4648

Guest
I mentioned this before in one of the other threads and i'll say it again. BEWARE! Of any account you create in WHM that you turn into a demo account.

There is a huge security risk here. I mentioned awhile back that an account i created on my server called demo.primenet.cc, used to demo the account to would be clients, one day mysteriously dissappeared from my server. Now i know how it was done. Its simple. Anyone can ftp to my demo.primenet.cc account and not only access the account but also DELETE the entire directory structure. I tested it on my server today.

I just dont understand something. When creating accounts thru WHM, amongst many other options, you can specify how many ftp accounts can be created under that account. Even if you say 0, WHM will create 2 by default!!!! Why is that? That means anyone can ftp to your accounts weather you have specified they get a ftp account or not!

Dont beleive me, try it!

Dgbaker, although i am not a malicious user i was able t ftp to your demo site and i could have deleted everthing.

I would highly recommend that everyone disable their demo accounts if active. Its really a huge security risk!

One possible way of avoiding this is to chown the entire demo account directory sturcture to root but this is not an alternative.
I would have thought that when one specifies an account as demo that this is what happens anyway to prevent people for changing and modifying files and directories.
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
ozzi - thanks for the heads up on my server, and thank you for being a nice guy :).

I've tested doing chown -R to root and ftp is still allowed BUT they cannot delete anything anymore, nor can they upload. I'm still doing some further tests.

Thanks again!
 
O

ozzi4648

Guest
[quote:c25cff8695][i:c25cff8695]Originally posted by dgbaker[/i:c25cff8695]

ozzi - thanks for the heads up on my server, and thank you for being a nice guy :).

I've tested doing chown -R to root and ftp is still allowed BUT they cannot delete anything anymore, nor can they upload. I'm still doing some further tests.

Thanks again! [/quote:c25cff8695]

Your welcome. This could all be avoided if cPanel didnt create 2 default ftp account when you tell it not to. In other words we cannot control the number of ftp accounts a user has access to use. Cpanel should not be creating 2 by default. I realize that they create the accounts for anon ftp and what nots but if the options are set off the number of ftp accounts should be *ZERO!
 
O

ozzi4648

Guest
[quote:bc3793ff93][i:bc3793ff93]Originally posted by dgbaker[/i:bc3793ff93]

That I agree with. Also there seems to be no easy way to disable the ftp acocunts either.[/quote:bc3793ff93]

Ok i found a way to completely remove ftp access for your demo account.

Go to /etc/proftpd/

Make a backup of the passwd.vhosts file

cp passwd.vhosts passwd.vhosts.backup

Edit the file and remove the line the pertains to your demo account.

Thats it! Nobody can ftp to your demo account!
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
ozzi, is it safe to presume that File Mgr. is also shutdown from FTP'ing?

And is there any other concerns with running a demo account. I do believe it is a nice feature to have, but not if there are &any& security risks at all.
 

Juanra

Well-Known Member
Sep 22, 2001
777
0
316
Spain
[quote:523efb75b9][i:523efb75b9]Originally posted by ozzi4648[/i:523efb75b9]
Ok i found a way to completely remove ftp access for your demo account.
Go to /etc/proftpd/
Make a backup of the passwd.vhosts file
cp passwd.vhosts passwd.vhosts.backup
Edit the file and remove the line the pertains to your demo account.
Thats it! Nobody can ftp to your demo account![/quote:523efb75b9]

Won't those files be overwritten by Cpanel on the next update? What about adding the user name to /etc/ftpusers? (I don't know if /etc/ftpusers get overwritten as well...)
 
O

ozzi4648

Guest
[quote:cf82f28dde][i:cf82f28dde]Originally posted by Juanra[/i:cf82f28dde]

[quote:cf82f28dde][i:cf82f28dde]Originally posted by ozzi4648[/i:cf82f28dde]
Ok i found a way to completely remove ftp access for your demo account.
Go to /etc/proftpd/
Make a backup of the passwd.vhosts file
cp passwd.vhosts passwd.vhosts.backup
Edit the file and remove the line the pertains to your demo account.
Thats it! Nobody can ftp to your demo account![/quote:cf82f28dde]

Won't those files be overwritten by Cpanel on the next update? What about adding the user name to /etc/ftpusers? (I don't know if /etc/ftpusers get overwritten as well...)[/quote:cf82f28dde]

Yep, you are absolutely correct! Today it was overwritten and everthing was placed back in the passwd.vhosts.file. Now what? This is so annoying. Now people can ftp to my demo accout again! Added the demo account to ftpusers, lets see if it gets overwritten. Im hoping not. When Cpanel was installed on my server the ftpusers file was missing by default and evertime somebody logged in a error msg was written to message log. There were many cpanel updates after that and the file was never created after any updates which leads me to believe that it may in fact not be replaced otherwise it would have been created. I had to manually create the file at which time the error message went away.
 
O

ozzi4648

Guest
I'm happy to report that i addressed this issue with Cpanel and father christmas listened. As of E114 this issue has now been resolved. I have tested it and it work. Demo accounts now disable FTP. Yippie! 1 bug down 21 left to go.