Subdomain visible to other accounts

brayne

Member
Mar 26, 2014
5
0
1
cPanel Access Level
Root Administrator
Hi there, one of my customers created a subdomain for their account, and placed it inside their home directory. Within that directory, they created a subdirectory called "clientfiles".

After uploading a few files to this location via FTP, it was then discovered that these files were accessible via some of my other customers' websites, with completely separate cPanel accounts on the same server.

So, the files were placed at:
http://subdomain.firstdomain.com/clientfiles/
(/home/username/subdomain.firstdomain.com/clientfiles)

And they were accessible via the web, from a completely separate cPanel account (on the same server):
http://seconddomain.com/clientfiles/

I don't know how this was even possible. Can someone explain why this would happen, and how I prevent this from happening?

Thanks in advance,
Bruce
 

brayne

Member
Mar 26, 2014
5
0
1
cPanel Access Level
Root Administrator
Sorry, I need to add a note to this. It turns out, that the files can only be viewed if using an https:// prefix.

So, the files were placed at:
http://subdomain.firstdomain.com/clientfiles/
(/home/username/subdomain.firstdomain.com/clientfiles)

And they were accessible via the web, from a completely separate cPanel account (on the same server):
https://seconddomain.com/clientfiles/

Bur there is no certificate installed for https://seconddomain.com.

http://subdomain.firstdomain.com has one of those annoying self-signed certificates that seem to get created whether you want them or not. If I delete this certificate, the problem goes away.

Thanks,
Bruce