Hello,
I would like to share my findings of potential security vulnerability which is related 'Reset Password for cPanel accounts' feature.
Scenario: Reset Password for cPanel accounts should be enabled (which is enabled by default) under Tweak Settings in WHM.
Main problem: Contact email of cPanel account can be manually changed by editing 'contactinfo' file (usually resides in /home/username/.cpanel/contactinfo) and used to reset account password.
Example of abusive usage: Hacker got access to files under cPanel account (outdated applications, etc.), modified contact email in 'contactinfo' file, reset account password and gain access to everything under account (email accounts, databases, passwords management, settings and so on).
Changes are not reflect in WHM where old contact email is displayed still, probably because it is looking into hidden file '.contactemail' (usually resides in /home/username/.contactemail) or /var/cpanel/users/username file.
To my opinion it's better to store account contact information outside of user's home directory (again, a lot of account information and settings are stored in /var/cpanel/users/username file).
Verified on the following cPanel versions: 56, 64 and 66.
I know that there is an easy way to just disable this feature, but users are losing opportunity to reset forgotten passwords of their accounts and have to contact hosting provider every time.
Awaiting reply or possible workaround to deal with the problem.
I would like to share my findings of potential security vulnerability which is related 'Reset Password for cPanel accounts' feature.
Scenario: Reset Password for cPanel accounts should be enabled (which is enabled by default) under Tweak Settings in WHM.
Main problem: Contact email of cPanel account can be manually changed by editing 'contactinfo' file (usually resides in /home/username/.cpanel/contactinfo) and used to reset account password.
Example of abusive usage: Hacker got access to files under cPanel account (outdated applications, etc.), modified contact email in 'contactinfo' file, reset account password and gain access to everything under account (email accounts, databases, passwords management, settings and so on).
Changes are not reflect in WHM where old contact email is displayed still, probably because it is looking into hidden file '.contactemail' (usually resides in /home/username/.contactemail) or /var/cpanel/users/username file.
To my opinion it's better to store account contact information outside of user's home directory (again, a lot of account information and settings are stored in /var/cpanel/users/username file).
Verified on the following cPanel versions: 56, 64 and 66.
I know that there is an easy way to just disable this feature, but users are losing opportunity to reset forgotten passwords of their accounts and have to contact hosting provider every time.
Awaiting reply or possible workaround to deal with the problem.