The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Integration Help - Accessing cPanel over HTTP

Discussion in 'cPanel Developers' started by aarondwyer, Mar 15, 2010.

  1. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Hi all

    Looking for some advice here to get my Adobe AIR application integrated with cPanel servers that have the XSRF options turned on in Tweak Settings.

    Some background...

    My application takes automated backups from the backup page of cPanel. Home DIR and databases are downloaded on a schedule to the users local drive.

    It does this via HTTP and goes to the backup page / parses what's on there and downloads the files off the backup page as needed.

    Correct me if I'm wrong, but I don't believe cPanel offers API access to the backup page so I've had to do it this way. I know it's ugly.

    Now this works fine. However if a user has the new XSRF options in Tweak settings enabled, my application fails to get HTTP access ending in a 401 error.

    How can fix this.?

    Found this page...

    cPanel 11.25 changes that will affect integrated software - cPanel Integration

    But I'm still not sure what I should be doing.

    Any advice is warmly welcomed, since I don't know what to look for.

    Thanks
    Aaron
     
  2. cPanelDavidN

    cPanelDavidN Integration Developer
    Staff Member

    Joined:
    Dec 17, 2009
    Messages:
    571
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Accessing via HTTP with Tweak Setting's Tokens enabled

    Hi Aaron,

    Sounds like a very useful application!

    I'm not very familiar with AIR's implementation of HTTP requests, so I can't provide any specific help there. However, I've done something similar in the past with cURL (a commandline utility for fetching remote data, ie. webpages and the like).

    Additionally, I'm not 100% on the implementation of the anti-XSRF and how it behaves towards requests made via AIR. But this is what I suggest:

    1) alter you application so that after authentication is made you can recall any information about the first served page.

    Once you authenticate with this Tweak Setting turned on, all authenticated page access is served with a pseudo relative URL. That is, URL rewriting is taking place and a check is made on the backend. Your application will need to be aware of the URL of the server page. ex:
    you tell AIR to log into
    Code:
    http://mywhmdomain.com:2086/
    you'll be returned something like this:
    Code:
    http://10.1.5.150:2086/cpsess1995009803/?post_login=62080613500004
    AIR needs the cpsessXXXXXXX part. Say you what to navigate to the Tweak Settings page:
    Code:
    http://mywhmdomain.com:2086/cpsess1995009803/scripts2/tweaksettings
    The cpsessXXXXXXXXX is what we're after. This is your 'token' you must prepend that to any page request for the rest of this authenticated session.

    This works the same for cPanel and WHM interfaces.

    2) You made need to also keep track of the referring page too. When an http request is made, usually the request header has the previous page's URL (if you're clicking through or submitting information, not direct URL query). Some security mechanizes will check this. I'm not sure about cPanel's anti-XSRF. If so, then your AIR's HTTP request header will need to contain this information too.

    Hope this helps point you in the right direction.:)
    -Dave
     
  3. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It certainly is.

    Thank you Dave for responding to this request.
     
  4. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Thanks for your advice.

    Yes that helps and makes sense, I'll investigate that.

    This will fix some of my users issues with servers that have XSRF settings enabled.

    If you are interested it's called Backup Smart http://backup-smart.com (there is a trial version).

    Aaron
     
    #4 aarondwyer, Mar 15, 2010
    Last edited: Mar 15, 2010
  5. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Hi guys

    My AIR application handles cpsessions / referrer and is treated just like another browser type.

    I've checked over everything and this now appears to be the one tweak setting that I need to address.

    Skip HTTP Authentication

    "Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials."

    I have cookies set to enabled within AIR so perhaps I just need to fill out the web form that displays on the cPanel login page, which shows if you cancel the login popup when HTTP authentication is enabled.

    Then cPanel will drop the cookie(s) required and the app will be all ok.

    Aaron
     
Loading...

Share This Page