Reset Password for cPanel accounts feature is insecure

Hello,

I would like to share my findings of potential security vulnerability which is related 'Reset Password for cPanel accounts' feature.

Scenario: Reset Password for cPanel accounts should be enabled (which is enabled by default) under Tweak Settings in WHM.

Main problem: Contact email of cPanel account can be manually changed by editing 'contactinfo' file (usually resides in /home/username/.cpanel/contactinfo) and used to reset account password.

Example of abusive usage: Hacker got access to files under cPanel account (outdated applications, etc.), modified contact email in 'contactinfo' file, reset account password and gain access to everything under account (email accounts, databases, passwords management, settings and so on).

Changes are not reflect in WHM where old contact email is displayed still, probably because it is looking into hidden file '.contactemail' (usually resides in /home/username/.contactemail) or /var/cpanel/users/username file.

To my opinion it's better to store account contact information outside of user's home directory (again, a lot of account information and settings are stored in /var/cpanel/users/username file).

Verified on the following cPanel versions: 56, 64 and 66.

I know that there is an easy way to just disable this feature, but users are losing opportunity to reset forgotten passwords of their accounts and have to contact hosting provider every time.

Awaiting reply or possible workaround to deal with the problem.

 

Yep, but limited only to upload new files, delete or edit existing ones under account.
Have no access to DNS, domains and passwords management that controlled by cPanel.

 

Looks like you are don't understand what i'm talking about. I'd like to post more details as reply because can't edit original message.

I will try to write short report as easy as i could for better understanding.

Applications under account may be hacked (for example popular Blogs and CMS apps like WordPress, Joomla, etc.) because of hundreds of vulnerabilities (outdated versions, outdated components, etc). Yes, I know that responsibility on keeping apps up to date and taking additional security measures is fully on website owner/developer behalf while system administrator responsible keeping server software up to date (Apache, PHP, Operating System packages, etc.) to close all known vulnerabilities.

Usually the main purpose of hack is spam via uploaded scripts (lets say php scripts), so spam mails could be sent by accessing script (for example http://domain.com/mail.php). So no passwords stolen or became known. No access to cPanel account, website/account got hacked and used to send spam.

Now, lets review more complex situation.

PHP file manager or shell has been uploaded because of hacked app and accessible via web (for example http://domain.com/tool.php). Now files under account can be deleted, created and modified. Again, no passwords stolen or became known, there are no files under user directory (/home/username) where you can get account password and take full control over account (by accessing cPanel GUI). But as i described above intruder can obtain account password by modifying 'contactinfo' file and use cPanel password reset feature to take full control of account.

Did you catch possible security problem?

BTW here is similar topic describing the problem when intruder may insert or change contact email to reset password (it does not match when you check contact email of account via WMH, but changing it back is fixed the problem, because all three files containing contact email have been updated:
Password Recovery - Email Hint