Subdomain visible to other accounts

[brayne]

Hi there, one of my customers created a subdomain for their account, and placed it inside their home directory. Within that directory, they created a subdirectory called "clientfiles".

After uploading a few files to this location via FTP, it was then discovered that these files were accessible via some of my other customers' websites, with completely separate cPanel accounts on the same server.

So, the files were placed at:
http://subdomain.firstdomain.com/clientfiles/
(/home/username/subdomain.firstdomain.com/clientfiles)

And they were accessible via the web, from a completely separate cPanel account (on the same server):
http://seconddomain.com/clientfiles/

I don't know how this was even possible. Can someone explain why this would happen, and how I prevent this from happening?

Thanks in advance,
Bruce

 

[brayne]

Sorry, I need to add a note to this. It turns out, that the files can only be viewed if using an https:// prefix.

So, the files were placed at:
http://subdomain.firstdomain.com/clientfiles/
(/home/username/subdomain.firstdomain.com/clientfiles)

And they were accessible via the web, from a completely separate cPanel account (on the same server):
https://seconddomain.com/clientfiles/

Bur there is no certificate installed for https://seconddomain.com.

http://subdomain.firstdomain.com has one of those annoying self-signed certificates that seem to get created whether you want them or not. If I delete this certificate, the problem goes away.

Thanks,
Bruce

 

[cPanelMichael]

Hello,

This is answered on the following section of our SSL FAQ document:

My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

Thank you.