The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security issue in cPanel

Discussion in 'Security' started by vocalist, Sep 14, 2005.

  1. vocalist

    vocalist Registered

    Joined:
    Jul 6, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I discovered a security issue tonight (which has already been reported to cPanel via my provider) that other admins should be aware of.

    Entering the ftp.yourdomain.com name of one site on my server and (accidentally) using the login and password details for anotherdomain.com would allow me to login and vica versa. This was completely unexpected as I was logging in as a normal domain owner and not as a reseller or with the server root password. Although the system did log me in to the account of the username and password, it should have just rejected me until the correct domain ftp url was entered.

    I noticed this tonight with cPanel
    Installed Version: 10.6.0-RELEASE_201 which was upgraded shortly after the problem was identified to Newest Version: 10.6.0-RELEASE_211 but the problem still exists.

    I tried this on several domains and my techie also tested it from another location so can't be explained as a 'human error' or a 'fluke'.

    I'm sure cPanel staff will look into this asap, but whilst this issue exists it does pose a possible security risk so peeps should be vigilant.
    Hope this helps
     
  2. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Let me get this right:

    FTP Host: customer_one.tld
    FTP Username: customer_two
    FTP Password: customer_two_password

    lets you in? If so, this is how most of the protocols work. You could do the same with POP3, SMTP and SSH. This is because they do not support "virtual hosts" - they have one "server" running on each IP address (whereas Apache setups up multiple "virtualhost" servers for an IP address as the HTTP protocol supports the Host: command). If you give each site its own dedicated IP address, you may be able to work around this - but it's not a security issue.
     
  3. a66fm

    a66fm Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Greece
    yes this is normal as you do have a single ftp server for all your ips-server and any way this Would be a security risk if you could use :
    FTP Host: customer_one.tld
    FTP Username: customer_two
    FTP Password: customer_two_password

    and get inside the customer_one.tld
    that it's not possible and i've been using cpanel for 3 years
     
    #3 a66fm, Sep 14, 2005
    Last edited: Sep 14, 2005
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Exactly, it's just the username and password that count, the ftp address could be ftp.anyhosteddomain.com as the ftp client will just resolve the domain to it's IP address which is likely to be the same for many domains.
     
  5. vocalist

    vocalist Registered

    Joined:
    Jul 6, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Well with respect I have to disagree if this is 'normal' then it is the first time it's allowed me to do this in the 2 years I've been running a server with cPanel, it didn't allow me to do this on previous versions, besides which the datahouse has confirmed it's a bug.

    I'm not talking about accessing these accounts using the reseller or root access but as a normal account holder which should not be possible even on the same server using a single ip.

    It is possible & I've been spending tonight doing just that!! That's why its a bug lol
     
  6. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    If you can get into customer_ONEs account using customer_TWOs username+password, then you've got a config fault somewhere and it's not normal cPanel operation. Check the /etc/proftpd or /etc/pureftp.conf config files and /etc/passwd and /etc/groups .
     
  7. cPanelBilly

    cPanelBilly Guest

    This is not a bug this is in fact the desired results.
     
  8. a66fm

    a66fm Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Greece
    i really think that you should check your configuration (are you 100% sure that anonymous login is NOT enabled???) as i did check what you say on two boxes (fd c2 & fd c3 running WHM 10.6.0 cPanel 10.6.0-C210 ) and it can't be done.
     
    #8 a66fm, Sep 14, 2005
    Last edited: Sep 14, 2005
  9. bigj

    bigj Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Tucson,AZ
    I have to side with everyone else that has responded. The domain name, by no means, provides any level of security or authorization on the cpanel login. That is one of the purposes of a username and password.

    Let me bore you with details of the entire process:

    1) You put in a URL in your fancy browser. Example: http://www.thisisabug.com/cpanel.
    2) Your system resolves the domain, www.thisisabug.com, to an IP address. Example: 11.22.33.44.
    3) Miscellaneous routing occurs here which ultimately sends your request to the IP of 11.22.33.44
    4) cpservd, I believe it is called, accepts the connection on that IP and subsequent port and, more or less, asks for a username and password.
    5) Once accepted it uses that username and password to determine settings like theme and account type to be displayed on your browser.

    I have been using this platform for 2 years now and it has _always_ let me do this. In fact I tested this exact same thing when I was evaluating the product. I of course got what I expected when testing it.

    I should also address, in the first e-mail you stated someone could use host1.tld and username and password from host2.tld to access host2.tld. This which you stated is the bug Then in a response to 'a66fm' you stated that the username and password for host2.tld would allow access to host1.tld. Which is it? If it's the latter then, OMFG, yes that is a bug which would make my rambling e-mail just that, a rambling e-mail...


    bigj

    Wanted to clarify that I understand the complaint was regarding FTP. My example, though not designed around and FTP problem, still yields the same results. Sorry for the misunderstanding.
     
    #9 bigj, Sep 14, 2005
    Last edited: Sep 14, 2005
  10. a66fm

    a66fm Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Greece
    I just checked it after i enabled the anonymous login at the pureftp server configuration and even now i can't get in
     
Loading...

Share This Page