i recently had a user tell me they could get on cpanel even though they dont have a webhosting account with me. they have a shell account they run a psybnc. but when he went to domain.com/cpanel and the login came up his shell login and password logged him into cpanel. while i checked this out and it was true. he had no settings and there were errors as he didnt have any setup to work with i was still troubled that he could get into this. Is this a normal thing and can it be exploitable and if so is there a way to stop this?