[resolved] Possible Security Issue

logikstudios

Well-Known Member
Nov 2, 2006
156
0
166
Hey. I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:[email protected]


This is a major problem and needs to be fixed stright away.

Thanks,

Nathaniel
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
13
313
Houston, TX
cPanel Access Level
Root Administrator
Security issues should be emailed directly to [email protected] so they can be addressed in a prompt manner.

Remember, the cPanel Staff is not made aware of every thread posted here. While we attempt to assist those posting to the forum where appropriate - many threads may "fall through the cracks." It is for this reason (among many others) the forums are not an official means of communication and it is strongly encouraged that official communications with the cPanel Staff be handled through official channels rather than via the community forums.
 

logikstudios

Well-Known Member
Nov 2, 2006
156
0
166
Security issues should be emailed directly to [email protected] so they can be addressed in a prompt manner.

Remember, the cPanel Staff is not made aware of every thread posted here. While we attempt to assist those posting to the forum where appropriate - many threads may "fall through the cracks." It is for this reason (among many others) the forums are not an official means of communication and it is strongly encouraged that official communications with the cPanel Staff be handled through official channels rather than via the community forums.
Sorry about that. Can you please email them about this.

Thanks,
Nathaniel
 

logikstudios

Well-Known Member
Nov 2, 2006
156
0
166
Because if you wanted to put it into a web directory where you could download it.
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
689
1
318
Hey. I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:[email protected]


This is a major problem and needs to be fixed stright away.

Thanks,

Nathaniel

I'm trying to get a grasp on this. You are sending all backups for a server to a specific account on the same server over ftp?

What files contain root passwords? It's only account tarballs that are backed up. Here's a FTP backup to my account from the same server:

Code:
[email protected] [~/cpbackup]# cd monthly/
[email protected] [~/cpbackup/monthly]# ls
./   domain1.tar.gz       domain2.tar.gz   domain3.tar.gz   reseller.tar.gz
../  domain4.tar.gz  domain5.tar.gz  
[email protected] [~/cpbackup/monthly]# cd ..
[email protected] [~/cpbackup]# cd weekly/
[email protected] [~/cpbackup/weekly]# ls
./   domain1.tar.gz       domain2.tar.gz   domain3.tar.gz   reseller.tar.gz
../  domain4.tar.gz  domain5.tar.gz  
[email protected] [~/cpbackup/weekly]# cd ..
[email protected] [~/cpbackup]# cd daily/
[email protected] [~/cpbackup/daily]# ls
./   domain1.tar.gz       domain2.tar.gz   domain3.tar.gz   reseller.tar.gz
../  domain4.tar.gz  domain5.tar.gz
 

LP-Tim

Active Member
Apr 30, 2007
26
0
151
Yeah I'm not seeing it either.

Not sure how this would be any different than backing up to a regular 'ole remote ftp server. Files is files, and ftp is ftp, eh?
 

logikstudios

Well-Known Member
Nov 2, 2006
156
0
166
Found the problem, I was logged into that account as root. Came from root WHM to the cpanel account.

Thanks,