Reset Password for cPanel accounts feature is insecure

[Dismas]

Hello,

I would like to share my findings of potential security vulnerability which is related 'Reset Password for cPanel accounts' feature.

Scenario: Reset Password for cPanel accounts should be enabled (which is enabled by default) under Tweak Settings in WHM.

Main problem: Contact email of cPanel account can be manually changed by editing 'contactinfo' file (usually resides in /home/username/.cpanel/contactinfo) and used to reset account password.

Example of abusive usage: Hacker got access to files under cPanel account (outdated applications, etc.), modified contact email in 'contactinfo' file, reset account password and gain access to everything under account (email accounts, databases, passwords management, settings and so on).

Changes are not reflect in WHM where old contact email is displayed still, probably because it is looking into hidden file '.contactemail' (usually resides in /home/username/.contactemail) or /var/cpanel/users/username file.

To my opinion it's better to store account contact information outside of user's home directory (again, a lot of account information and settings are stored in /var/cpanel/users/username file).

Verified on the following cPanel versions: 56, 64 and 66.

I know that there is an easy way to just disable this feature, but users are losing opportunity to reset forgotten passwords of their accounts and have to contact hosting provider every time.

Awaiting reply or possible workaround to deal with the problem.

 

[Infopro]

If someone has compromised your account, per your scenario, changing the email to reset the password is a waste of time. They'd already be in the account.

Example of abusive usage: Hacker got access to files under cPanel account (outdated applications, etc.),

 

[Dismas]

Yep, but limited only to upload new files, delete or edit existing ones under account.
Have no access to DNS, domains and passwords management that controlled by cPanel.

If someone has compromised your account, per your scenario, changing the email to reset the password is a waste of time. They'd already be in the account.

 

[sparek-3]

How are you proposing that someone would have "limited only to upload new files, delete or edit existing ones under account" and have access to the account's home directory, without already having cPanel access?

I do agree with you on the premise that it is not wise to enable the reset password function. But what @Infopro has asked is also valid.

 

[Dismas]

Looks like you are don't understand what i'm talking about. I'd like to post more details as reply because can't edit original message.

I will try to write short report as easy as i could for better understanding.

Applications under account may be hacked (for example popular Blogs and CMS apps like WordPress, Joomla, etc.) because of hundreds of vulnerabilities (outdated versions, outdated components, etc). Yes, I know that responsibility on keeping apps up to date and taking additional security measures is fully on website owner/developer behalf while system administrator responsible keeping server software up to date (Apache, PHP, Operating System packages, etc.) to close all known vulnerabilities.

Usually the main purpose of hack is spam via uploaded scripts (lets say php scripts), so spam mails could be sent by accessing script (for example http://domain.com/mail.php). So no passwords stolen or became known. No access to cPanel account, website/account got hacked and used to send spam.

Now, lets review more complex situation.

PHP file manager or shell has been uploaded because of hacked app and accessible via web (for example http://domain.com/tool.php). Now files under account can be deleted, created and modified. Again, no passwords stolen or became known, there are no files under user directory (/home/username) where you can get account password and take full control over account (by accessing cPanel GUI). But as i described above intruder can obtain account password by modifying 'contactinfo' file and use cPanel password reset feature to take full control of account.

Did you catch possible security problem?

BTW here is similar topic describing the problem when intruder may insert or change contact email to reset password (it does not match when you check contact email of account via WMH, but changing it back is fixed the problem, because all three files containing contact email have been updated:
Password Recovery - Email Hint

 

[sparek-3]

Applications under account may be hacked

That's your paramount issue right there.

I get what you are saying and there is some truth there. But, if the account is already being allowed to be compromised, then changing the contact information or resetting the account's password is trivial. If the account is already being hacked by some means, damage can be done with or without resetting the password and gaining cPanel or FTP access.

If end-users are not willing to take steps to secure their scripts or the application they run on their account, then this is an incident waiting to happen.

You can color it up, sugarcoat it, make it pretty, and take all the measures you want to guard against this. But the simple fact is, if an end-user is going to allow their website to become compromised through either an outdated script, an insecure script, a weak password, or any other number of things - then they really can't complain when their account is completely compromised.

This is a woeful issue within the web hosting world. Now if you want to blame the industry and web hosting companies for not stressing the importance of security enough to their clients, I'd be on board with that. But the fact is, if an account is insecure then it's insecure.