Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SECURITY HOLE = Disabling Feature Manager (BETA)

Discussion in 'Security' started by garak, Feb 1, 2004.

  1. garak

    garak Active Member

    Joined:
    Jan 23, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    156
    Is possible disable Feature Manager (BETA) for resellers accounts ?

    If is feature is enable, the reseller can create packages with Crontab, what is a serious security hole (for example: if a customer create a cronjobs with the follow command : ls /var/named > result.txt, this customer will find all the resellers and customers inside this machine! By the way, through CronJobs, is possible run any serious command with success! )
     
  2. garak

    garak Active Member

    Joined:
    Jan 23, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    156

    So, try create a cronjob in Cpanel, like a customer of a reseller, and put the command "ls /var/named > /home/customerdir/result.txt"

    You will get all the zone names inside /var/named, and all the zones is owned by users root or named.

    Before post this message, I try for myself, and I have sure about what I'm talking (unfortunately) :(
     
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    7
    Trophy Points:
    318
    Location:
    back woods of NC, USA
    you don't need a cron job to do that. What's feature manager got to do with that anyway. Anyone can create a cron job if they have ssh. If they ssh they don't even need cron.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. garak

    garak Active Member

    Joined:
    Jan 23, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    156
    Surely. :)

    But I don't give to anyone SSH access.
    But now, with Cron's 'possibilities' I'm really worried...

    I don't know how to blocking Crontab in resellers Cpanel, without remove completely the "creation packages" abilities...

    And, remove the "creation packages" abilities, could be a big trouble for my resellers..... :(
     
  5. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    7
    Trophy Points:
    318
    Location:
    back woods of NC, USA
    do you block cgi and php scripts? very simple 3-4 line scripts can simply print to httpd output all kinds of stuff you sould be worried about then.

    It's a scared box. You have to watch your users.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    7
    Trophy Points:
    318
    Location:
    back woods of NC, USA
    And while you are at it, block all pop access and turn off exim. Firewall all ports except port 80. On all users sites put a .htaccess password protection. When they need people to see their sites they can give out passes on a first come first temeorory basis.

    If you do all this ..you may be able to keep that server hacker free for over 60 days.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    And if all else fails, unplug server.

    Welcome to the world of hosting.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    316
    Location:
    Ontario, Canada
    I'm not sure who started the rumor being a web host was easy. :D
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice