[resolved] Possible Security Issue

[logikstudios]

Hey. I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:[email protected]


This is a major problem and needs to be fixed stright away.

Thanks,

Nathaniel

 

[cPanelDavidG]

Security issues should be emailed directly to [email protected] so they can be addressed in a prompt manner.

Remember, the cPanel Staff is not made aware of every thread posted here. While we attempt to assist those posting to the forum where appropriate - many threads may "fall through the cracks." It is for this reason (among many others) the forums are not an official means of communication and it is strongly encouraged that official communications with the cPanel Staff be handled through official channels rather than via the community forums.

 

[logikstudios]

Security issues should be emailed directly to [email protected] so they can be addressed in a prompt manner.

Remember, the cPanel Staff is not made aware of every thread posted here. While we attempt to assist those posting to the forum where appropriate - many threads may "fall through the cracks." It is for this reason (among many others) the forums are not an official means of communication and it is strongly encouraged that official communications with the cPanel Staff be handled through official channels rather than via the community forums.

Sorry about that. Can you please email them about this.

Thanks,
Nathaniel

 

[LP-Tim]

Interesting.

But why would you do remote FTP backup to the same account?

 

[logikstudios]

Because if you wanted to put it into a web directory where you could download it.

 

[DaveUsedToWorkHere]

Hey. I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:[email protected]


This is a major problem and needs to be fixed stright away.

Thanks,

Nathaniel

I'm trying to get a grasp on this. You are sending all backups for a server to a specific account on the same server over ftp?

What files contain root passwords? It's only account tarballs that are backed up. Here's a FTP backup to my account from the same server:

[email protected] [~/cpbackup]# cd monthly/
[email protected] [~/cpbackup/monthly]# ls
./   domain1.tar.gz       domain2.tar.gz   domain3.tar.gz   reseller.tar.gz
../  domain4.tar.gz  domain5.tar.gz  
[email protected] [~/cpbackup/monthly]# cd ..
[email protected] [~/cpbackup]# cd weekly/
[email protected] [~/cpbackup/weekly]# ls
./   domain1.tar.gz       domain2.tar.gz   domain3.tar.gz   reseller.tar.gz
../  domain4.tar.gz  domain5.tar.gz  
[email protected] [~/cpbackup/weekly]# cd ..
[email protected] [~/cpbackup]# cd daily/
[email protected] [~/cpbackup/daily]# ls
./   domain1.tar.gz       domain2.tar.gz   domain3.tar.gz   reseller.tar.gz
../  domain4.tar.gz  domain5.tar.gz

 

[DaveUsedToWorkHere]

I did a grep -R "account:rootpass" * in my backup directory after extracting the archive and got no takers.

[email protected] [~/cpbackup/daily]# tar -xzf reseller.tar.gz 
[email protected] [~/cpbackup/daily]# cd reseller
[email protected] [/home/dave/cpbackup/daily/reseller]# grep -R "reseller:XXXX" *
[email protected] [/home/dave/cpbackup/daily/reseller]#

XXXX intentionally obfuscated

 

[LP-Tim]

Yeah I'm not seeing it either.

Not sure how this would be any different than backing up to a regular 'ole remote ftp server. Files is files, and ftp is ftp, eh?

 

[zigzam]

I can not duplicate this on any of my servers.

 

[logikstudios]

Found the problem, I was logged into that account as root. Came from root WHM to the cpanel account.

Thanks,

 

[DaveUsedToWorkHere]

I'm changing this thread's title as it is not valid