Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
The login had been changd after you had logged in. Not hearing back from you I didn't want to leave access open. It has been changed back again. Please do what you need to do, now, so we can wrap this up.
 

acer2k

Well-Known Member
Nov 12, 2001
107
0
316
Domain Ip UserName Contact Email Setup Date Partition Quota Space Used Package Cpanel Theme Reseller
etanow.com 64.62.157.217 etanowc none Fri Jan 17 17:52:58 2003 home 1 Meg 0 Meg webhosti_main1 bluelagoon etanowc
test.com 64.62.157.217 testcom none Sat Feb 22 15:00:15 2003 home 394 Meg 0 Meg etanowc_testa default etanowc


How about unlimted...cause 394 just isn't enough!!

Domain Ip UserName Contact Email Setup Date Partition Quota Space Used Package Cpanel Theme Reseller
etanow.com 64.62.157.217 etanowc none Fri Jan 17 17:52:58 2003 home 1 Meg 0 Meg webhosti_main1 bluelagoon etanowc
test.com 64.62.157.217 testcom none Sat Feb 22 15:00:15 2003 home unlimited Meg 0 Meg etanowc_testa default etanowc

If you think I'm just editing the text..go in there and view my account 'test.com';
 

acer2k

Well-Known Member
Nov 12, 2001
107
0
316
Also..I could easily create a script that would eat that hdd space in under a minute! :P
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Ok, you've shown you are aware of the 'bug' within WHM, to do this for one account. As you know, you could not create another unlimited account and it reamains to be seen as to what limits kick in when the account is actually.

Creating an account over allotment and being able to use that account - are two different things and something I shall do testing on.
 

acer2k

Well-Known Member
Nov 12, 2001
107
0
316
The way I did it, I made the quota UNLIMITEd. So I could cretae a perl script to just write forever until the hdd runs out of space. There is no quota whatsoever. Also, I can still create new accounts because when I change the quota..it doesn't change the cPanel datbase to make your reseller space run out.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
This is actually the intended behavior. The idea was to allow a reseller to upgrade an account without having to contact the host. This can be a really good thing when you can't contact the host and you have a user out of disk space (the host is sitll informed via email about the upgrade/downgrade). The reseller is still going to hit a brick wall when they go to create a new account so it really hasn't been an issue. However with the amount of fraud and bad people increasing everyday, it might be best to enforce limits for upgrading/downgrading. If the majority feels that there should be an option to do so, then it should be quite simple to add.
 

acer2k

Well-Known Member
Nov 12, 2001
107
0
316
I sure wish you would enforce the limits. enforce them on the upgrade/downgrade screen, the Create a new package/edit package screen, on the Quota Limit page, and on the Bandwidth Limit page.


Also, Its good that it contacts the host when a user does an upgrade..but what if they just want to take out the webhost, and make an unlimited account (Using the Quota Limit thing) and creates a perl script that just eats the hdd up?

I'de like this stuff implemented as soon as possible. Or if you could at least make me a little patch or something to fix this stuff. Cause it's really really really REALLY bad :P hehe
 
Last edited:

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
Here is a new whostmgr binary.
http://layer1.cpanel.net/whostmgr.acer2k

install as
/usr/local/cpanel/whostmgr/bin/whostmgr

chmod 700

It contains the limiting for upgrade/downgrading an account. It has not been tested, so I don't know if it works properly. Make sure to make a backup of your whostmgr binary before you try this on. Worst case, it doesn't work.. you put the old one back and I'll test+fix it tomorrow when I have more time.
 

acer2k

Well-Known Member
Nov 12, 2001
107
0
316
Thanks! Also tomorrow if you can, add that limiting to the other things i suggested. ( the Create a new package/edit package screen, on the Quota Limit page, and on the Bandwidth Limit page.) I guess most importantly the bandwidth and quota limit pages. Now that you can't create or edit an account to more space/bandwidth you have..it really doesn't matter how big you create a package to. Unless when you edit a package..it changes the accounts?
 
Last edited:

acer2k

Well-Known Member
Nov 12, 2001
107
0
316
Not working too smooth. When I try to change the package (upgrade/downgrade)..It always says Sorry, you cannot create an account with an unlimited bandwidth limit.
 

oSM

Well-Known Member
Aug 18, 2001
47
0
306
However with the amount of fraud and bad people increasing everyday, it might be best to enforce limits for upgrading/downgrading. If the majority feels that there should be an option to do so, then it should be quite simple to add.
Please I beg you to add limits for upgrading/downgrading. I've had users who crashed our server using this command because they switch to our LARGE plans and use all the space up.. :(
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
Originally posted by acer2k
Not working too smooth. When I try to change the package (upgrade/downgrade)..It always says Sorry, you cannot create an account with an unlimited bandwidth limit.
If you get a chance, catch me on aim (bdraco), and I'll smooth this out for you.
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
8
318
back woods of NC, USA
Originally posted by baileysemt
I agree on the hard limits... please implement them.

I look at it this way, as someone who was a reseller long before she became a server admin... if I am stupid enough to sign up with a company that has lousy support (doesn't respond to/assist with these kinds of errors) then I deserve to be sitting there with errors and in a pickle. Sorry, but it's a buyer's market. There are a zillion hosts to pick from and in the end, it's customer service that makes a huge difference.

An attentive host will maintain their machines and serve their customers well. Putting in a work-around so resellers can get around shoddy admins is, well, backwards logic.

Please lock this puppy down. :)

BTW Nick, nice work on CP6. The new features are nice, and your attentiveness to bugfixes has been terrific. :)

:D Bailey
I agree 100% with this. And Nick is doing an extra great job here lately.
 

TheVoice

Well-Known Member
Feb 7, 2002
105
0
316
Its really nice to see nick interacting with everyone more and more. It seems he disapeared put together cpanel 6. Nice to have him back talking with the masses.
 
O

ozzi4648

Guest
Originally posted by acer2k
First of all..

I'm just wondering, how does everyone else do theirs? I mean, when you create an account on cPanel, you give it space and bandwidth. Say a user purchased 1GB disk and 50GB transfer. You setup their account with that. But they also will be a reseller. So you give them reseller permissions. But they can't do anything until you go in there and give them the options and stuff. But then that is where you limit the space/transfer on their reseller account. So you put in 1GB disk and 50GB transfer again. This means they have DOUBLE resources. How do you go about that? Also, what features/options do you give them in the reseller section?
I agree with you on this, thats its very tedious and lots of people have complained about it, but i have hacked and solved the problem on your first issue and it works like this.

For resellers:
It doesnt matter what i assign to the first account since his account will have nothing by the time i am finished setting up his reseller account, and he will have absolutely no access to his first account, the one that controls his reseller account, by the time i am finished.

1) I Set up his account with the domain name reseller-domain.com with all his details. I give it unlimited everthing otherwise i cannot create the reseller account under it. I dont want to use his real domain name here because he needs it when he sets up his domain from his reseller account, right?

2) I create his reseller account and assign resources with his access flags.

3) I log in on port 2086 so the cpanel3-skel directory gets created and then i ssh in as root and create an index.html so it gets deployed evertime he creates a new account, then chown it to his username.

4) Now i want to restrict him from ever being able to log into his first account. To keep him out of ftp i add his username to /etc/ftpusers done!

5) Now that his reseller account is created i DOWNGRADE his first account, the one i gave unlimited everthing to to have nothing. He gets Zero everthing except 1 meg of bandwidth incase he needs to log in to change his pw. Because thats all his going to be able to do once i assign his account to the changepw theme. If you give him 1 on the bandwidth otherwise if you set it to 0 cpanel says it is NO LIMIT! done!

6) Ah but now comes the fun part. I hacked a version of the control panel called changepw. Logically, the way Cpanel is setup, one could possibily log back into the first account and use use it, but i stop all that! If the user was ever to log into his first account on port 2082, all he could do is change his pw because my hacked theme only gives him the changepw page to use and the logout button. He can change his password as many times as he wants, i really dont care about the thatbut he longer has access to his main account to use any resources and which has all been set to *ZERO anyway. I assign the changpw theme which only allows him to change the pw's

7) Resellers are told, in order to change your pw, please log into your account on port 2082, they do it and have the ability to change their passwords, which affects all mail and reseller logins. Solved!

The only problem is that the reseller has two account but thats the way CPanel is designed for now and I'm not about to rewrite their code.

In step 5 above, when i downgrade the account i change his theme to CHANGEPW, which i hacked myself that only allow changes to pw's and nothing else, just like the mailonly thing!

Also, since i am the one who control what theme his first account gets he could never change it unless he has my root pw because i assign the changpw theme based on the theme i have created the hack for.

Finally to clean up things i remove the reseller-domain.com domlogs if there are any and remove the reseller-domain.com zone records since they will never be used and because all they do is take up space.
 
Last edited by a moderator:

SoftmegUK

Well-Known Member
Feb 13, 2002
372
0
316
UK
Re: Re: MAJOR cPanel Exploits!!!!11

Originally posted by ozzi4648
I agree with you on this, thats its very tedious and lots of people have complained about it, but i have hacked and solved the problem on your first issue and it works like this.

For resellers:
It doesnt matter what i assign to the first account since his account will have nothing by the time i am finished setting up his reseller account, and he will have absolutely no access to his first account, the one that controls his reseller account, by the time i am finished.

1) I Set up his account with the domain name reseller-domain.com with all his details. I give it unlimited everthing otherwise i cannot create the reseller account under it. I dont want to use his real domain name here because he needs it when he sets up his domain from his reseller account, right?

2) I create his reseller account and assign resources with his access flags.

3) I log in on port 2086 so the cpanel3-skel directory gets created and then i ssh in as root and create an index.html so it gets deployed evertime he creates a new account, then chown it to his username.

4) Now i want to restrict him from ever being able to log into his first account. To keep him out of ftp i add his username to /etc/ftpusers done!

5) Now that his reseller account is created i DOWNGRADE his first account, the one i gave unlimited everthing to to have nothing. He gets Zero everthing except 1 meg of bandwidth incase he needs to log in to change his pw. Because thats all his going to be able to do once i assign his account to the changepw theme. If you give him 1 on the bandwidth otherwise if you set it to 0 cpanel says it is NO LIMIT! done!

6) Ah but now comes the fun part. I hacked a version of the control panel called changepw. Logically, the way Cpanel is setup, one could possibily log back into the first account and use use it, but i stop all that! If the user was ever to log into his first account on port 2082, all he could do is change his pw because my hacked theme only gives him the changepw page to use and the logout button. He can change his password as many times as he wants, i really dont care about the thatbut he longer has access to his main account to use any resources and which has all been set to *ZERO anyway. I assign the changpw theme which only allows him to change the pw's

7) Resellers are told, in order to change your pw, please log into your account on port 2082, they do it and have the ability to change their passwords, which affects all mail and reseller logins. Solved!

The only problem is that the reseller has two account but thats the way CPanel is designed for now and I'm not about to rewrite their code.

In step 5 above, when i downgrade the account i change his theme to CHANGEPW, which i hacked myself that only allow changes to pw's and nothing else, just like the mailonly thing!

Also, since i am the one who control what theme his first account gets he could never change it unless he has my root pw because i assign the changpw theme based on the theme i have created the hack for.

Finally to clean up things i remove the reseller-domain.com domlogs if there are any and remove the reseller-domain.com zone records since they will never be used and because all they do is take up space.

Seems like a LOT of work to me!
 

torwill

Well-Known Member
Jun 25, 2002
141
0
166
has this been fixed? i wasn't able to do the same.

for the first question, why not change reseller's main account to under ownership of the reseller(and tell them not to delete it)? and limit reseller not to have unlimited resources/use any global plan?
 

rnh

Well-Known Member
Apr 15, 2003
118
0
166
Originally posted by Website Rob
In all cases though, there should be an understanding and a certain degree of trust, to not use what you have not been given.
Please... this is a control panel for virtual hosting that we have paid a lot of money for. It should have a certain degree of security. It should not put us in a position that we are at the whelm of our user's mercy to "trust" them to not take advantages of the exploits in this program, and to not get so annoyed with all of it's bugs that they leave and never come back.