The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

turn off cpanel download feature

Discussion in 'General Discussion' started by weeming21, Jun 16, 2015.

  1. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    how to turn off the download feature in cpanel?

    user can download any file from the download? link even file_manager feature is disabled
    e.g.: /download?skipencode=1&file=%2fhome%2fc%2fpublic_html%2findex.php
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where does that URL work from, exactly?
     
  3. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    after login to cpanel frontend
    e.g xyz.com:2083/cpsess4618130495/download?skipencode=1&file=/home/user/public_html/index.php

    i only enable some mail only features, but user still able to download my source code through the url.

    i need to disable the "download?" api(maybe), please advise
     
    #3 weeming21, Jun 17, 2015
    Last edited: Jun 17, 2015
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    How does a normal user login to your cPanel to do this?
     
  5. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    they are not normal user
    they got their username and password to login cpanel hosting account, we only enable some mail feactures(accounts, forwarder and autoreposnders) for them
    but they can use the url to download all our source code

    we need to protect our php source code or else they can read our database password from source.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This URL does not work for me. Are you sure its a proper example?
     
  7. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    xyz.com is your server url
    cpsess4618130495 is your security token
    index.php is the file in your public_html, u put a index.php into your public_html first
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep, I got all that. Doesn't work for me.
     
  9. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    did you login to cpanel account?

    i disabled all features, but still able to download file from the "download?" url

    cpanel 11.50
    centos 7
     

    Attached Files:

  10. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Do you want to disable it completely and want to allow it to specific users ?
     
  11. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    actually i want to disable it if "File Manager" feature is disabled
    but even i disabled all features, the function till work..

    i tried at http://x3demoa.cpx3demo.com:2082 not work, it shown:

    download
    You do not have permission to access this page.
    Sorry, this feature is disabled in demo mode.

    mean can disable the function, right?
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You shouldn't need to give an email user any access to cPanel for those features. Provided the user logs in using a full email address as the username then, domain.com/webmail/ is where they should be logging in.
     
  13. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    Ok, maybe you still don't understand our need.
    We are web developer, we host our client website in our server. We provide them a cPanel account, for them to manage their own domain email accounts.

    So we must block their files access privilege, or else they can get our website souce code.
     
  14. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    how to disable it completely?
     
  15. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    anyone know how to disable the download function in the cpanel?
    e.g. http://www.xyz.com/cpsess1234567/download?skipencode=1&file=/home/user1/public_html/index.php

    i think it is a security bypass vulnerability

    i already limit my cpanel customer to access "email only" features, but they can use the "
    download?skipencode=1&file=/home/user1/public_html/index.php" to download the source code.

    but in demo mode, when i try the download url, it shown me "Sorry, this feature is disabled in demo mode."

    i cant find any hook to turn off or bailout this function, please advice

    it is very important for me, because i dont want let my customer know our centralize database password from our php source code.
     
  16. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    The URL in your last post doesn't work (port number missing), but otherwise you're right. I see the same on our server, on a cPanel account with all features disabled - no icons at all. Looks like removing a feature from cPanel just hides it, making it harder (but not impossible) to access. Which is probably sufficient in the majority of cases.

    An obvious fix would be to use a different server for email, but perhaps that isn't possible in your case.
     
  17. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    is it possible to override the cpanel control panel url?
    e.g.: override the url https://www.domain.tld:2083/cpsess1234567890/xyz?kkkkk

    in apache we can use .htaccess to rewrite to url

    but in cpanel, i put .htaccess inside the base directory but no luck


    please advise
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you elaborate further on why you need to redirect cPanel? You can review the "Redirection" options in "WHM >> Tweak Settings" if you prefer to redirect users to the hostname or SSL certificate name.

    Thank you.
     
  19. weeming21

    weeming21 Member

    Joined:
    Jun 13, 2015
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    because i wan to disable the /download? function in cpanel
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please note that cPanel access is going to provide the user with access to the account via FTP or SFTP where the user can download any files associated with the account. That being said, feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page