Security Token Tweak setting missing? [case 71137,case 71669, case 71933, case 73073]

[pla]

I have the same issue as some others have posted on other threads. Almost certainly related to the same thing, but maybe not to the same feature requests previously submitted.

I start out with a browser with history cleared. Login to WHM. List accounts. Click on the CP link for an account. End up with the cpanel page for that account opening in a new tab and me logged into that page as root. This is how it used to work and how I want it to work in the last case below.

I logout of any cpanel tabs if open, logout of the WHM tab. Later I go through the WHM login/list/click on CP. This, too, works.

Where it all goes wrong is if I just close the WHM and cpanel tabs without logging out. When I go to WHM again it asks me to login again because "The security token is missing from your request." That's a cosmetic issue at that point. But when I click on a CP link the cpanel page for the account also tells me the security token is missing. This is the big problem because it forces time-consuming behaviour upon me. Leave the browser open, lock my screen and go home and the next day I have this problem. I can't fix it by logging out because I can't log out of the cpanel windows I already closed. I can only fix it by clearing history for the appropriate server or by clearing all history (which has unwanted side-effects). Or I have to remember to always logout of cpanel/WHM tabs and never just close a tab.

Ideally, logging in to WHM as root would clear any other security tokens for the server. Well, it's not perfect because if I had cpanel windows open I'd lose their sessions but it's better than what happens at present.

PS

My boss asked me what I'd been doing this past hour. I explained I'd been trying to see why this error was cropping up, checking if it happened with different browsers, finding workarounds and submitting this post. He asked for a demo of the problem and I couldn't reproduce it. The problem was solidly reproducable before and now has gone. Could this be a race hazard issue? We have a slow connection and there were 4 people who went home before I tried demonstrating it to my boss.

--
Paul

 

[cPanelMichael]

Where it all goes wrong is if I just close the WHM and cpanel tabs without logging out. When I go to WHM again it asks me to login again because "The security token is missing from your request." That's a cosmetic issue at that point. But when I click on a CP link the cpanel page for the account also tells me the security token is missing.

The issue you have described is addressed in the following thread:

[Case 74109] Accessing a customers cPanel through WHM

Thank you.

 

[NNNils]

I also would like the security token feature to be disabled if we like.

If so many people ask for it to be optional, why does cpanel decide on their own to remove it and even force it is impossible to disable. There are so many stupid things we could do in managing our servers. Why would Cpanel want to prevent us from doing this one "extremely stupid" thing, at all costs?

Why not leave the backdoor (i.e. config file) open for people at their own (extremely dangerous.... sorry not my opinion) risk?

The problem is, i.e. when accessing Browser Bookmarks like PHPmyAdmin, I have to manually reenter my password even when I already logged in 5 seconds before that (yeah of course that-s the whole point of these tokens) but this is far from user friendly.

Has nothing to do with storing passwords in URL, just trying to enter cpanel related things from browser bookmarks.

 

[mahinder]

Nick, I tried really hard to refrain myself from posting to this thread because "I understand" http authentication can create some serious security problems but this security token has made our life so miserable, I have to protest!

The scenario you are describing is what security tokens are designed to protect against. We don't want a malicious user to take advantage of you being logged into WHM and provide you a link to their "broken" website that redirects you to https://server:2087/...../....../passwd?user=root&.... which resets your root password allowing them to gain root. This is not possible with security tokens since the url is not known to the malicious user.

Well, this has "never" happened to me in past 16 years, since I am managing servers and regardless you should fix this particular page (s) which allows changing root passwords like that rather then implementing security tokens all over WHM links making it impossible to work with bookmarks / links. How about implementing captcha on password reset pages to make sure password is not changed through link / redirection.

Yesterday, I was working with my colleague in WHM > PHPMYADMIN and our DSL connection + IP was getting reset every few minutes due to bad weather and we have to enter login information in 8-12 windows again and again because stupid token was expiring. This was also major problem while easyapache was running and I have to login again and again to make sure build is complete.

Actually, this is regular problem because we have to login AGAIN AND AGAIN to do anything on the server through "bookmarks / links". It takes twice the time to do anything in WHM with security tokens enabled and is simply unpractical to keep locating links in WHM after login or typing commands in WHM search bar after login because it takes so much time for WHM to load completely and search bar only works when LOGIN page is loaded completely. Not everybody in the world have fastest speed connections available all the time and some times I have to work through my mobile where it takes 10 times more time to work in WHM.

Security tokens are HUGE BURDEN for people who work extensively in WHM and you should provide option / heck to disable it.

You should be able to use SecureRemoteLogins < AllDocumentation < TWiki to generate a session and redirect into WHM with the token in place.

Actually, your suggestions will bring more security problems in our systems, now we have to store root passwords for all servers in database because SecureRemoteLogin script needs root user name and password. We do not store root passwords in databases or anywhere on the server to make sure nobody gets root access, in the scenario where database / server is compromised. Regardless, this script can not run every time where single page have several book marks.

Please bring option to disable security tokens back or suggest some hack which allows us to do this or suggest some work around where we do not have to enter login information again and again and again while using WHM through bookmarks / links.

 

[Mango45]

I may be missing something here, but wouldn't checking referrer be a valid way to solve this type of attack?

I realize that referrer can be spoofed, but I do not know how a malicious user could make me spoof my own referrer, without having access to cause much more severe problems.

EDIT: I see that this feature already exists (and my host seems to have enabled it on my server).

 

[cPanelMichael]

The ability to disable security tokens with the "disable-security-tokens=1" entry in /var/cpanel/cpanel.config will be restored in the near future. Please monitor the change log for internal case number 75329:

cPanel - Change Log

Thank you.

 

[jols]

That's the best news I have read all week. However, when cPanel.net says "soon" it usually means that the feature will come out a major version or two down the road, e.g. 6 to 16 months or more.

Personally I am still waiting for cPanel.net to bring us back the capability to switch off UNLIMITED as an email quota option, that we once had quite literally years ago. And I have been watching our some of our hosted members' email accounts fill up with (again, literally) years of garbage ever since.

 

[cPanelMichael]

Case 75329 is now implemented as of cPanel version 11.38.2.2 per the change log:

Fixed case 75329: Restore the ability to disable security tokens.

Note that this version has only been pushed to the "Current" and "Release" build tiers at this time.

Thank you.

 

[mahinder]

Case 75329 is now implemented as of cPanel version 11.38.2.2 per the change log:

Fixed case 75329: Restore the ability to disable security tokens.

Note that this version has only been pushed to the "Current" and "Release" build tiers at this time.

Thank you.

Thank you Michael. You are life saver.

 

[Mango45]

Thank you very much.

 

[sahostking]

Thank You. Seems we've been having the same issue.

 

[mahinder]

Michael, Option to disable security token do not appear inside WHM in WHM 11.38.2 (build 3) (current / release) tiers. However, I was able to disable security tokens by inserting line in cpanel.config. But now, I see this alert in all the pages in WHM and also on cPanel. This cPanel alert will create panic among users.

Your server is vulnerable to cross site request forgery and cross site scripting attacks. You should remove 'disable-security-tokens=1' from '/var/cpanel/cpanel.config' and execute '/usr/local/cpanel/scripts/restartsrv_cpsrvd' as soon as possible.

This server is vulnerable to cross site request forgery and cross site scripting attacks because security tokens are disabled. Please ask your system administrator to enable security tokens as soon as possible.

Due to this alert, now I am back to security tokens enabled. Please suggest how to disable this message.

 

[cPanelMichael]

But now, I see this alert in all the pages in WHM and also on cPanel. This cPanel alert will create panic among users.

This is by design. Disabling security tokens is a bad security practice, and warrants placing those warning messages in cPanel/WHM. If you accept that risk, and still want to remove the alerts, you could follow these instructions:

1. Create the following files:

/usr/local/cpanel/scripts/post_cpsrvd_start 
/usr/local/cpanel/scripts/pre_cpsrvd_start

2. Populate post_cpsrvd_start with the following contents:

#!/usr/local/cpanel/3rdparty/bin/perl

use Cpanel::Config::CpConfGuard ();

my $cpconf_guard = Cpanel::Config::CpConfGuard->new();
$cpconf_guard->{'data'}->{'disable-security-tokens'} = 0;
$cpconf_guard->save();

exit(0);

3. Populate pre_cpsrvd_start with the following contents:

#!/usr/local/cpanel/3rdparty/bin/perl

use Cpanel::Config::CpConfGuard ();

my $cpconf_guard = Cpanel::Config::CpConfGuard->new();
$cpconf_guard->{'data'}->{'disable-security-tokens'} = 1;
$cpconf_guard->save();

exit(0);

4. Run the following commands:

chmod 0755 /usr/local/cpanel/scripts/post_cpsrvd_start 
chmod 0755 /usr/local/cpanel/scripts/pre_cpsrvd_start
/usr/local/cpanel/scripts/restartsrv_cpsrvd

Again, it's important to realize that disabling security tokens is highly discouraged. Your server becomes vulnerable to cross site request forgery and cross site scripting attacks.

Thank you.

 

[Valetia]

This is by design. Disabling security tokens is a bad security practice, and warrants placing those warning messages in cPanel/WHM. If you accept that risk, and still want to remove the alerts, you could follow these instructions:

1. Create the following files:

/usr/local/cpanel/scripts/post_cpsrvd_start 
/usr/local/cpanel/scripts/pre_cpsrvd_start

2. Populate post_cpsrvd_start with the following contents:

#!/usr/local/cpanel/3rdparty/bin/perl

use Cpanel::Config::CpConfGuard ();

my $cpconf_guard = Cpanel::Config::CpConfGuard->new();
$cpconf_guard->{'data'}->{'disable-security-tokens'} = 0;
$cpconf_guard->save();

exit(0);

3. Populate pre_cpsrvd_start with the following contents:

#!/usr/local/cpanel/3rdparty/bin/perl

use Cpanel::Config::CpConfGuard ();

my $cpconf_guard = Cpanel::Config::CpConfGuard->new();
$cpconf_guard->{'data'}->{'disable-security-tokens'} = 1;
$cpconf_guard->save();

exit(0);

4. Run the following commands:

chmod 0755 /usr/local/cpanel/scripts/post_cpsrvd_start 
chmod 0755 /usr/local/cpanel/scripts/pre_cpsrvd_start
/usr/local/cpanel/scripts/restartsrv_cpsrvd

Again, it's important to realize that disabling security tokens is highly discouraged. Your server becomes vulnerable to cross site request forgery and cross site scripting attacks.

Thank you.

We tried this method of disabling the warning message, but it doesn't get disabled 24/7.

There are periods (we haven't figured out when exactly, though you may have some ideas) when cPanel users still see the warning.

An actual method that works 24/7 would be much appreciated.

 

[rlshosting]

I have noticed when it's disabled it does decrease the load on the server significantly too.

 

[Infopro]

I wonder what would cause the load issue?

 

[cPanelNick]

The load issue is almost certainly a red herring. The codepath for Security token being disabled was only 0.001ms faster when being profiled. Its likely an unrelated change in the last update causing the speedup.

 

[sina6002]

Quick hack to make the warning go away:

echo "" > /usr/local/cpanel/whostmgr/docroot/templates/menu/_token_warning.tmpl; chattr +i /usr/local/cpanel/whostmgr/docroot/templates/menu/_token_warning.tmpl

 

[Valetia]

Quick hack to make the warning go away:

Unfortunately this only removes the warning from WHM, but not cPanel.

 

[sina6002]

Valetia, another quick hack to make the cPanel warning go away:

Add the following code right before <div id="cpanel"> (/usr/local/cpanel/base/frontend/x3/branding/stdmheader.html, line 18):

<script>
document.getElementById('security_token_warning').style.display = 'none';
</script>

I hope at some point cPanel developers realise how stupid this is becoming, and add an i-accept-the-risks=1 config parameter.