MAJOR cPanel Exploits!!!!11

[acer2k]

First of all..

I'm just wondering, how does everyone else do theirs? I mean, when you create an account on cPanel, you give it space and bandwidth. Say a user purchased 1GB disk and 50GB transfer. You setup their account with that. But they also will be a reseller. So you give them reseller permissions. But they can't do anything until you go in there and give them the options and stuff. But then that is where you limit the space/transfer on their reseller account. So you put in 1GB disk and 50GB transfer again. This means they have DOUBLE resources. How do you go about that? Also, what features/options do you give them in the reseller section?

Second and more importantly..

I have found some MAJOR issues involving cPanel and reseller accounts. I bought a small reseller account from someone, and they have the newest version of cpanel (6.0, but this works on all versions). I was able to create accounts under my reseller account with 10gb diskspace and 150gb transfer. I went to create an account, and where it lists my reseller account resources..everything is in the negative!!

 

[SprintSlash]

I think you can create accounts for as big as you want, since majority of your reseller's clients won't reach the limit they're assigned to. It's just that when the actual limits are reached, they won't be able to go over.

 

[acer2k]

No, you aren't understanding. When you give a reseller the 'upgrade/downgrade' freature, they can change their subaccounts to the largest package configured on your server and it will just make their resources go into the negative. But it still works fine! I've also found ways around the quota limit thing and all that. Gimme a 1mb reseller account on your server and I bet you I can end up with every last kb of space on your server!!

 

[SprintSlash]

Oh I see what you mean. I thought they already fixed the problem that resellers should only be able to see the packages they created (prefixed by their username).

 

[hostcp3]

Can you still do this even after restricting them to only use their own packages?

click the global restriction in setup and only allow packages to be used which are owned by this reseller.

have you set it up this way?

 

[acer2k]

Yes..it still lets you do that. You can't create an account with someone else's package, but you can modify accounts you've already created and change them to someone else's package. Try going to "Upgrade/Downgrade account" and it'll let you change to any1. Also..the Quota limit thing lets you change the quota and it doesn't even subtract from your reseller resources.

 

[Website Rob]

The items brought up in this thread are not, problems with WHM. They are created through the method used by the ServerAdmin to setup Reseller accounts. Some know how to lock things down and some don't. In all cases though, there should be an understanding and a certain degree of trust, to not use what you have not been given.

As for going over limits and seeing/using other Reseller packages, I can guarantee you that it does not happen with my Reseller accounts -- and I doubt I am the only one with this setup.

 

[acer2k]

OK rob..lets find out. Gimme a free reseller account on your server..1mb diskspace and 1mb transfer. Well see if I can get past it

 

[Website Rob]

And what do you offer in return -- if you cannot? :D

 

[acer2k]

You get the satisfaction of knowing your server really is secure and prove me wrong.

 

[Website Rob]

The challange has been met and the info sent. Time to setup Reseller account (from scratch) was about 5 minutes. Details are a Reseller account with 1MB of Web Space & Data Transfer plus typical options I give to Resellers.

We shall see what we shall see.

 

[rpmws]

if you change the ownership of the resellers main account to his username won't WHM include what his package is using in his total?

 

[acer2k]

The login info you gave me wouldn't work.

 

[Website Rob]

Ok fixed. Forgot about something and had to edit the httpd.conf file.

 

[acer2k]

still wont work..lol

 

[Website Rob]

There is something wrong, but cannot track it down immediately.

Invalid method in request \x80F\x01\x03

Have no idea what that means, but is what shows in the error_log.

Let me try another Domain Name.

 

[ozzi4648]

Originally posted by acer2k
OK rob..lets find out. Gimme a free reseller account on your server..1mb diskspace and 1mb transfer. Well see if I can get past it

You would be the type of person that i would catch doing something like this once, and you would be history. Kaput!

 

[Website Rob]

I wonder why we haven't heard back yet, from acer2k?

 

[acer2k]

Well, I was gone all day. I just now got to test it..I created an account, and now the login information doesn't work again.

 

[acer2k]

no, I would never do something like this without prior permission from the server's owner. I am only doing this to prove a point, that cPanel isn't worth 1cent! It's highly highly to unsecure. PLESK is more secure than this.