The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securety Risk

Discussion in 'General Discussion' started by drtduarte, Apr 11, 2008.

  1. drtduarte

    drtduarte Registered

    Joined:
    Mar 6, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Dear Users,

    Yesterday I found a problem on cpanel that I think it could be a potential security risk.

    If you access one account of a costumer as reseller, and you select a file with 755 permissions, that as the variable $password on it, it will catch your reseller password and your costumer could see it in the future, as well as the script using that variable will stop working.

    If you access the account as user, the file will catch the password and will stop working too, but there will be no security risk, as there is no problem if the user finds his password :).

    Waiting for your reply.
    David
     
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    This is currently being investigated.
     
  3. BenThomas

    BenThomas Well-Known Member

    Joined:
    Feb 12, 2004
    Messages:
    598
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Texas USA
    cPanel Access Level:
    Root Administrator
    I believe this issue was fixed in recent builds, but the reported issue was not in the same context. We have disabled the automatic variable interpolation that was occurring in the editors in the File Manager and subsequently resolved this issue. I am currently unable to reproduce the reported issue with a recent build (11.18.3-STABLE).

    Overall, the scenario outlined in your initial post is very unlikely but possible. A reseller shouldn't be using their auth transfer to interact with the File Manager and edit a customer's files.

    As usual, any such report of an abhorrent behavior should include the cPanel build version. That information is key to investigating these types of issues.
     
Loading...

Share This Page