Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

MAJOR cPanel Exploits!!!!11

Discussion in 'General Discussion' started by acer2k, Feb 22, 2003.

  1. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,504
    Likes Received:
    1
    Trophy Points:
    318
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    The login had been changd after you had logged in. Not hearing back from you I didn't want to leave access open. It has been changed back again. Please do what you need to do, now, so we can wrap this up.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    316
    Domain Ip UserName Contact Email Setup Date Partition Quota Space Used Package Cpanel Theme Reseller
    etanow.com 64.62.157.217 etanowc none Fri Jan 17 17:52:58 2003 home 1 Meg 0 Meg webhosti_main1 bluelagoon etanowc
    test.com 64.62.157.217 testcom none Sat Feb 22 15:00:15 2003 home 394 Meg 0 Meg etanowc_testa default etanowc


    How about unlimted...cause 394 just isn't enough!!

    Domain Ip UserName Contact Email Setup Date Partition Quota Space Used Package Cpanel Theme Reseller
    etanow.com 64.62.157.217 etanowc none Fri Jan 17 17:52:58 2003 home 1 Meg 0 Meg webhosti_main1 bluelagoon etanowc
    test.com 64.62.157.217 testcom none Sat Feb 22 15:00:15 2003 home unlimited Meg 0 Meg etanowc_testa default etanowc

    If you think I'm just editing the text..go in there and view my account 'test.com';
     
  3. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    316
    Also..I could easily create a script that would eat that hdd space in under a minute! :P
     
  4. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,504
    Likes Received:
    1
    Trophy Points:
    318
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok, you've shown you are aware of the 'bug' within WHM, to do this for one account. As you know, you could not create another unlimited account and it reamains to be seen as to what limits kick in when the account is actually.

    Creating an account over allotment and being able to use that account - are two different things and something I shall do testing on.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    316
    The way I did it, I made the quota UNLIMITEd. So I could cretae a perl script to just write forever until the hdd runs out of space. There is no quota whatsoever. Also, I can still create new accounts because when I change the quota..it doesn't change the cPanel datbase to make your reseller space run out.
     
  6. cPanelNick

    cPanelNick Administrator Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,486
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    This is actually the intended behavior. The idea was to allow a reseller to upgrade an account without having to contact the host. This can be a really good thing when you can't contact the host and you have a user out of disk space (the host is sitll informed via email about the upgrade/downgrade). The reseller is still going to hit a brick wall when they go to create a new account so it really hasn't been an issue. However with the amount of fraud and bad people increasing everyday, it might be best to enforce limits for upgrading/downgrading. If the majority feels that there should be an option to do so, then it should be quite simple to add.
     
  7. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    316
    I sure wish you would enforce the limits. enforce them on the upgrade/downgrade screen, the Create a new package/edit package screen, on the Quota Limit page, and on the Bandwidth Limit page.


    Also, Its good that it contacts the host when a user does an upgrade..but what if they just want to take out the webhost, and make an unlimited account (Using the Quota Limit thing) and creates a perl script that just eats the hdd up?

    I'de like this stuff implemented as soon as possible. Or if you could at least make me a little patch or something to fix this stuff. Cause it's really really really REALLY bad :P hehe
     
    #27 acer2k, Feb 22, 2003
    Last edited: Feb 22, 2003
  8. cPanelNick

    cPanelNick Administrator Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,486
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    Here is a new whostmgr binary.
    http://layer1.cpanel.net/whostmgr.acer2k

    install as
    /usr/local/cpanel/whostmgr/bin/whostmgr

    chmod 700

    It contains the limiting for upgrade/downgrading an account. It has not been tested, so I don't know if it works properly. Make sure to make a backup of your whostmgr binary before you try this on. Worst case, it doesn't work.. you put the old one back and I'll test+fix it tomorrow when I have more time.
     
  9. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    316
    Thanks! Also tomorrow if you can, add that limiting to the other things i suggested. ( the Create a new package/edit package screen, on the Quota Limit page, and on the Bandwidth Limit page.) I guess most importantly the bandwidth and quota limit pages. Now that you can't create or edit an account to more space/bandwidth you have..it really doesn't matter how big you create a package to. Unless when you edit a package..it changes the accounts?
     
    #29 acer2k, Feb 22, 2003
    Last edited: Feb 22, 2003
  10. acer2k

    acer2k Well-Known Member

    Joined:
    Nov 12, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    316
    Not working too smooth. When I try to change the package (upgrade/downgrade)..It always says Sorry, you cannot create an account with an unlimited bandwidth limit.
     
  11. oSM

    oSM Well-Known Member

    Joined:
    Aug 18, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    306
    Please I beg you to add limits for upgrading/downgrading. I've had users who crashed our server using this command because they switch to our LARGE plans and use all the space up.. :(
     
  12. cPanelNick

    cPanelNick Administrator Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,486
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    If you get a chance, catch me on aim (bdraco), and I'll smooth this out for you.
     
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,822
    Likes Received:
    8
    Trophy Points:
    318
    Location:
    back woods of NC, USA
    I agree 100% with this. And Nick is doing an extra great job here lately.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. TheVoice

    TheVoice Well-Known Member

    Joined:
    Feb 7, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    316
    Its really nice to see nick interacting with everyone more and more. It seems he disapeared put together cpanel 6. Nice to have him back talking with the masses.
     
  15. ozzi4648

    ozzi4648 Guest

    I agree with you on this, thats its very tedious and lots of people have complained about it, but i have hacked and solved the problem on your first issue and it works like this.

    For resellers:
    It doesnt matter what i assign to the first account since his account will have nothing by the time i am finished setting up his reseller account, and he will have absolutely no access to his first account, the one that controls his reseller account, by the time i am finished.

    1) I Set up his account with the domain name reseller-domain.com with all his details. I give it unlimited everthing otherwise i cannot create the reseller account under it. I dont want to use his real domain name here because he needs it when he sets up his domain from his reseller account, right?

    2) I create his reseller account and assign resources with his access flags.

    3) I log in on port 2086 so the cpanel3-skel directory gets created and then i ssh in as root and create an index.html so it gets deployed evertime he creates a new account, then chown it to his username.

    4) Now i want to restrict him from ever being able to log into his first account. To keep him out of ftp i add his username to /etc/ftpusers done!

    5) Now that his reseller account is created i DOWNGRADE his first account, the one i gave unlimited everthing to to have nothing. He gets Zero everthing except 1 meg of bandwidth incase he needs to log in to change his pw. Because thats all his going to be able to do once i assign his account to the changepw theme. If you give him 1 on the bandwidth otherwise if you set it to 0 cpanel says it is NO LIMIT! done!

    6) Ah but now comes the fun part. I hacked a version of the control panel called changepw. Logically, the way Cpanel is setup, one could possibily log back into the first account and use use it, but i stop all that! If the user was ever to log into his first account on port 2082, all he could do is change his pw because my hacked theme only gives him the changepw page to use and the logout button. He can change his password as many times as he wants, i really dont care about the thatbut he longer has access to his main account to use any resources and which has all been set to *ZERO anyway. I assign the changpw theme which only allows him to change the pw's

    7) Resellers are told, in order to change your pw, please log into your account on port 2082, they do it and have the ability to change their passwords, which affects all mail and reseller logins. Solved!

    The only problem is that the reseller has two account but thats the way CPanel is designed for now and I'm not about to rewrite their code.

    In step 5 above, when i downgrade the account i change his theme to CHANGEPW, which i hacked myself that only allow changes to pw's and nothing else, just like the mailonly thing!

    Also, since i am the one who control what theme his first account gets he could never change it unless he has my root pw because i assign the changpw theme based on the theme i have created the hack for.

    Finally to clean up things i remove the reseller-domain.com domlogs if there are any and remove the reseller-domain.com zone records since they will never be used and because all they do is take up space.
     
    #35 ozzi4648, Feb 25, 2003
    Last edited by a moderator: Feb 25, 2003
  16. kemic

    kemic Member

    Joined:
    Feb 18, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    wow

    _looks_ like overkill for a single account.

    I think I'll try it out. ;)
     
  17. SoftmegUK

    SoftmegUK Well-Known Member

    Joined:
    Feb 13, 2002
    Messages:
    372
    Likes Received:
    0
    Trophy Points:
    316
    Location:
    UK
    Re: Re: MAJOR cPanel Exploits!!!!11


    Seems like a LOT of work to me!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. torwill

    torwill Well-Known Member

    Joined:
    Jun 25, 2002
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    166
    has this been fixed? i wasn't able to do the same.

    for the first question, why not change reseller's main account to under ownership of the reseller(and tell them not to delete it)? and limit reseller not to have unlimited resources/use any global plan?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    166
    Please... this is a control panel for virtual hosting that we have paid a lot of money for. It should have a certain degree of security. It should not put us in a position that we are at the whelm of our user's mercy to "trust" them to not take advantages of the exploits in this program, and to not get so annoyed with all of it's bugs that they leave and never come back.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. Hoster2k

    Hoster2k Well-Known Member

    Joined:
    Jun 17, 2002
    Messages:
    131
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    UK
    Dragging up an old thread? This was resolved a while ago now I believe.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice