The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

one but good exaple of cpanel total lack of security

Discussion in 'Security' started by naox, Jun 25, 2005.

Thread Status:
Not open for further replies.
  1. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    well for example cpanel created /home/login/.htacces(/*) with 755 permissions. Am I only one that thinks thats 'little' not right?

    cpanel or ftp should not create anything with permissions for 'others'. Just to group nobody which can be *secure server daemon like apache

    should I go on? I can surely point more than 15 major bugs in cpanel security, however most ppl seem to disagree about it hm
     
    #1 naox, Jun 25, 2005
    Last edited: Jun 25, 2005
  2. KingDrew

    KingDrew Active Member

    Joined:
    Oct 24, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Paris, Texas
    I fail to see how other users could write to that file. Don't most directories have those permissions anyway?

    EDIT: Try this. Change the permissions to 700 so other users cannot read it or execute it. Then lets see if it works in Apache. ;)

    one but good exaple of naox total lack of chmod calculations
     
    #2 KingDrew, Jun 25, 2005
    Last edited: Jun 25, 2005
  3. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    heh. I of course long time ago chmodded /home/login/.htpasswds to 750 with chown nobody. But I'm not complaing about lack of security on my site (I got root so I can make it secure), but lack of security with cpanel created accounts.

    why any ssh or cgi or php without open base dir restictions sould not read files:
    /home/login/.htpasswds/dir/passwd
    or
    /home/login/etc/passwd,v

    actually why not read /home/login/anything_exept_public_html (if ftp user didnt changed default chmod)

    tell me... last one is file with all your passwords and email addys. oh :rolleyes:

    and you cant really chmod etc to not public because cpanel exims will not work, making imposible to send emails. But I know. Its all crap, as I read on bugzilla (http://bugzilla.cpanel.net/show_bug.cgi?id=2723)
    Sorry for bug reporting on bugzilla and posting here.
     
    #3 naox, Jun 25, 2005
    Last edited: Jun 25, 2005
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Welcome to the world of shared web hosting :rolleyes:

    1. I seem to remember we've been through this before. If you find a bug log it in bugzilla if it's not already there.

    2. If you believe that you have found a security problem, log a support ticket with cPanel and send an email to security@cpanel.net

    Now you have the procedure, please follow it for the 15 major security issues that you have discovered.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page