The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MAJOR cPanel Exploits!!!!11

Discussion in 'General Discussion' started by acer2k, Feb 22, 2003.

  1. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    First of all..

    I'm just wondering, how does everyone else do theirs? I mean, when you create an account on cPanel, you give it space and bandwidth. Say a user purchased 1GB disk and 50GB transfer. You setup their account with that. But they also will be a reseller. So you give them reseller permissions. But they can't do anything until you go in there and give them the options and stuff. But then that is where you limit the space/transfer on their reseller account. So you put in 1GB disk and 50GB transfer again. This means they have DOUBLE resources. How do you go about that? Also, what features/options do you give them in the reseller section?

    Second and more importantly..

    I have found some MAJOR issues involving cPanel and reseller accounts. I bought a small reseller account from someone, and they have the newest version of cpanel (6.0, but this works on all versions). I was able to create accounts under my reseller account with 10gb diskspace and 150gb transfer. I went to create an account, and where it lists my reseller account resources..everything is in the negative!!
     
  2. SprintSlash

    SprintSlash Well-Known Member

    Joined:
    Jan 18, 2003
    Messages:
    163
    Likes Received:
    0
    Trophy Points:
    16
    I think you can create accounts for as big as you want, since majority of your reseller's clients won't reach the limit they're assigned to. It's just that when the actual limits are reached, they won't be able to go over.
     
  3. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    No, you aren't understanding. When you give a reseller the 'upgrade/downgrade' freature, they can change their subaccounts to the largest package configured on your server and it will just make their resources go into the negative. But it still works fine! I've also found ways around the quota limit thing and all that. Gimme a 1mb reseller account on your server and I bet you I can end up with every last kb of space on your server!!
     
  4. SprintSlash

    SprintSlash Well-Known Member

    Joined:
    Jan 18, 2003
    Messages:
    163
    Likes Received:
    0
    Trophy Points:
    16
    Oh I see what you mean. I thought they already fixed the problem that resellers should only be able to see the packages they created (prefixed by their username).
     
  5. hostcp3

    hostcp3 Well-Known Member

    Joined:
    Jun 18, 2002
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    Can you still do this even after restricting them to only use their own packages?

    click the global restriction in setup and only allow packages to be used which are owned by this reseller.

    have you set it up this way?
     
  6. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Yes..it still lets you do that. You can't create an account with someone else's package, but you can modify accounts you've already created and change them to someone else's package. Try going to "Upgrade/Downgrade account" and it'll let you change to any1. Also..the Quota limit thing lets you change the quota and it doesn't even subtract from your reseller resources.
     
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    The items brought up in this thread are not, problems with WHM. They are created through the method used by the ServerAdmin to setup Reseller accounts. Some know how to lock things down and some don't. In all cases though, there should be an understanding and a certain degree of trust, to not use what you have not been given.

    As for going over limits and seeing/using other Reseller packages, I can guarantee you that it does not happen with my Reseller accounts -- and I doubt I am the only one with this setup.
     
  8. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    OK rob..lets find out. Gimme a free reseller account on your server..1mb diskspace and 1mb transfer. :) Well see if I can get past it :)
     
  9. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    And what do you offer in return -- if you cannot? :D
     
  10. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    You get the satisfaction of knowing your server really is secure and prove me wrong.
     
  11. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    The challange has been met and the info sent. Time to setup Reseller account (from scratch) was about 5 minutes. Details are a Reseller account with 1MB of Web Space & Data Transfer plus typical options I give to Resellers.

    We shall see what we shall see. :cool:
     
  12. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    if you change the ownership of the resellers main account to his username won't WHM include what his package is using in his total?
     
  13. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    The login info you gave me wouldn't work.
     
  14. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok fixed. Forgot about something and had to edit the httpd.conf file.
     
  15. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    still wont work..lol
     
  16. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    There is something wrong, but cannot track it down immediately.

    Invalid method in request \x80F\x01\x03

    Have no idea what that means, but is what shows in the error_log.

    Let me try another Domain Name.
     
  17. ozzi4648

    ozzi4648 Guest

    You would be the type of person that i would catch doing something like this once, and you would be history. Kaput!
     
  18. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I wonder why we haven't heard back yet, from acer2k?
     
  19. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Well, I was gone all day. I just now got to test it..I created an account, and now the login information doesn't work again.
     
  20. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    no, I would never do something like this without prior permission from the server's owner. I am only doing this to prove a point, that cPanel isn't worth 1cent! It's highly highly to unsecure. PLESK is more secure than this.
     
Loading...

Share This Page