The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible Security Flaw [MERGED]

Discussion in 'Security' started by derekivey, May 29, 2005.

  1. derekivey

    derekivey Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Possible Security Flaw

    Hi,

    Today in cPanel I found out that the link it gives you to click to download today's backup can easily get someone elses files. All you do is change the domain in the link and you have access to backups of anyone on that server. Is there a setting to fix it? Or is that something that the cPanel staff aren't aware of.

    Thanks,
    Derek
     
  2. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    That's QUITE bad accutally - CPanel any word on this? They will probably ask you to add to Bugzilla, regardless that it's their error :p
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, that's what bugzilla is for, to list bugs. You should email security@cpanel.net immediately if you believe you've found a security bug.
     
  4. meisam

    meisam Member

    Joined:
    Oct 11, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    cPanel BUG - IMPORTANT

    hello,

    i was doing backups in my system and i found a bug. any user who is logged in can get another users backup. ex.

    any user logs in to their cPanel account. if they go to https://1.2.3.4:2083/getbackup/backup-domainname.tld-5-29-2005.tar.gz

    they can get the backup of domainname.tld. this can be done for ALL Accounts.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You need to email such issues to security@cpanel.net and log it in bugzilla as posting here will not bring it to cPanel's attention.
     
  6. Darren

    Darren Well-Known Member
    Staff Member

    Joined:
    Dec 26, 2001
    Messages:
    1,957
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Houston, TX
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    False error, you can put any word there and it will still be the backup of the correct domain.
     
Loading...

Share This Page