turn off cpanel download feature

weeming21

Active Member
Jun 13, 2015
26
0
1
Malaysia
cPanel Access Level
Root Administrator
how to turn off the download feature in cpanel?

user can download any file from the download? link even file_manager feature is disabled
e.g.: /download?skipencode=1&file=%2fhome%2fc%2fpublic_html%2findex.php
 

weeming21

Active Member
Jun 13, 2015
26
0
1
Malaysia
cPanel Access Level
Root Administrator
after login to cpanel frontend
e.g xyz.com:2083/cpsess4618130495/download?skipencode=1&file=/home/user/public_html/index.php

i only enable some mail only features, but user still able to download my source code through the url.

i need to disable the "download?" api(maybe), please advise
 
Last edited:

weeming21

Active Member
Jun 13, 2015
26
0
1
Malaysia
cPanel Access Level
Root Administrator
How does a normal user login to your cPanel to do this?
they are not normal user
they got their username and password to login cpanel hosting account, we only enable some mail feactures(accounts, forwarder and autoreposnders) for them
but they can use the url to download all our source code

we need to protect our php source code or else they can read our database password from source.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
they got their username and password to login cpanel hosting account, we only enable some mail feactures(accounts, forwarder and autoreposnders) for them
You shouldn't need to give an email user any access to cPanel for those features. Provided the user logs in using a full email address as the username then, domain.com/webmail/ is where they should be logging in.
 

weeming21

Active Member
Jun 13, 2015
26
0
1
Malaysia
cPanel Access Level
Root Administrator
Ok, maybe you still don't understand our need.
We are web developer, we host our client website in our server. We provide them a cPanel account, for them to manage their own domain email accounts.

So we must block their files access privilege, or else they can get our website souce code.
 

weeming21

Active Member
Jun 13, 2015
26
0
1
Malaysia
cPanel Access Level
Root Administrator
anyone know how to disable the download function in the cpanel?
e.g. http://www.xyz.com/cpsess1234567/download?skipencode=1&file=/home/user1/public_html/index.php

i think it is a security bypass vulnerability

i already limit my cpanel customer to access "email only" features, but they can use the "
download?skipencode=1&file=/home/user1/public_html/index.php" to download the source code.

but in demo mode, when i try the download url, it shown me "Sorry, this feature is disabled in demo mode."

i cant find any hook to turn off or bailout this function, please advice

it is very important for me, because i dont want let my customer know our centralize database password from our php source code.
 

Tom Risager

Well-Known Member
Jul 10, 2012
116
6
18
Copenhagen, Denmark
cPanel Access Level
Root Administrator
The URL in your last post doesn't work (port number missing), but otherwise you're right. I see the same on our server, on a cPanel account with all features disabled - no icons at all. Looks like removing a feature from cPanel just hides it, making it harder (but not impossible) to access. Which is probably sufficient in the majority of cases.

An obvious fix would be to use a different server for email, but perhaps that isn't possible in your case.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

Could you elaborate further on why you need to redirect cPanel? You can review the "Redirection" options in "WHM >> Tweak Settings" if you prefer to redirect users to the hostname or SSL certificate name.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
i already limit my cpanel customer to access "email only" features, but they can use the "
download?skipencode=1&file=/home/user1/public_html/index.php" to download the source code.
Please note that cPanel access is going to provide the user with access to the account via FTP or SFTP where the user can download any files associated with the account. That being said, feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.