Turn Password off For cPanel Account

cardine

Member
May 17, 2006
14
0
151
I have mysite.com, and I want to make it so that you do not have to log-in to cPanel.
I want everybody to be able to access all of cpanel on mysite.com without having to go through verification.
I can secure cPanel through other means, so may somebody let me know if this is even possible (could I do this by editing a file in cPanel since I have root access), and if it is possible could you explain to me how to do it, or at least point me in the right direction?

Thanks! :D
 

cardine

Member
May 17, 2006
14
0
151
Is there a specific function that cURL supports that allows me to do this?

I went through the site, and it seems like it could send user/password data behind the seens, but it doesn't seem like it removes the username/password system completely.

Is this what you think I should do? Is it just to impractical to completely get rid of a cPanel password?

Thank-you for your help so far! :D
 

cardine

Member
May 17, 2006
14
0
151
To secure my site :)

What I am doing is I am creating a script in which users can create accounts and then use everything that cPanel lets them do (databases, email, etc.). So I have one master account (since they will be given subdomains) and I have all of their stuff on one account. So I am using databases to remember which user has created which database, and to make sure none are created twice.

So now the tricky part is getting them logged into cpanel so I can do my manipulation (the actual manipulation is done through Iframes that have encrypted source code). For some reason the log-in doesn't work through iFrames, and I was thinking about doing a popup. This however leaves my username and password wide open.

So I thought why not just change the names of all of the cpanel files (so nobody could use them even with the username and password since my iFrames are encrypted) and then get rid of the login system altogether.

Then I could log-in by typing in http://www.mysite.com:2082/frontend/x/jaofijijojojo.html which is actually index.html (index.html is replaced with a script that closes itself in 5 seconds).

So to me this would actually be the most secure way since I have changed all of the paths of cPanel, and the login is the only thing that worries me.

I guess I could let everybody see my login since all of the names are switched around, but this is much more tedious and complex IMO.

It is basically a crazy and complex way (but it seems completely practical and do-able) to secure my site :D
 
Last edited:

timdorr

Well-Known Member
PartnerNOC
Jul 9, 2002
93
0
156
Atlanta, GA
cardine said:
(the actual manipulation is done through Iframes that have encrypted source code).
Wait, stop right there. There's *no* such thing as encrypted source code with HTML. I can tell you right now, without even looking at what you've done, that it's going to be easily hackable.

You're better off writing a frontend using PHP and HTTP_Client (http://pear.php.net/package/HTTP_Client)
 

cardine

Member
May 17, 2006
14
0
151
Hmmm...
I was under the impretion that this site http://www.protware.com would work.
Are you absolutely sure that this will not encrypt the html to an unreadable degree?

However if you think that even that is insecure I will take a look at the link you posted.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
34
473
Go on, have a guess
They're claims are simply wrong. As timdorr says, you cannot encrypt HTML - otherwise your web browser would not be able to display it. All they're doing is encoding the HTML which basically obfuscates the text. If your webbrowser can decode it, then you can decode it. While it might take a little bit of effort, it's not impossible and it's certainly not secure - security through obscurity should not be relied upon.
 

electric

Well-Known Member
Nov 5, 2001
790
11
318
I agree with the above. The "www.protware.com" website merely obfuscates the html code. It makes it "more difficult" for the average person to view the simple source.

But it can still be easily done, especially since protware.com is "open" code itself and the hacker could fairly simply see what kind of obfuscation techniques are being used.

There is NO WAY to encrypt html code that arrives at the end-user's browser. If there were, then you would 100% absolutely need a corresponding "decrypter" to be installed on your user's browser. This would then have the secret "decryption" method, etc. (unlock keys, etc.)

This is basically how SSL (https) works. It is encrypted on the server, and then decrypted in the web browser, because the web browser ALREADY has the descryption information in it, etc... That's why SSL certs don't work for EVERY browser... because the browser must already have the required decoder. (I know it's more complicated then this, but I'm just throwing out an example.)

Anyway, to accomplish what you want, you could use the cpanel un/pw in your URL, like this:

http://username:[email protected]/frontend/x2/index.html

But again... you're asking for trouble if you continue down the path you're on. Plain and simple. You can NOT encrypt your html code that arrives at the browser. It just can't be done. The system wasn't designed this way. (Although many wish it were!) The best you can hope for is to make it "more difficult" to hack your code. But a good hacker will have absolutely no problem to do this.

:(
 

electric

Well-Known Member
Nov 5, 2001
790
11
318
Look into the socket commands.

fsockopen() I think ...
 

mctDarren

Well-Known Member
Jan 6, 2004
665
9
168
New Jersey
cPanel Access Level
Root Administrator
cardine said:
Is there a specific function that cURL supports that allows me to do this?

I went through the site, and it seems like it could send user/password data behind the seens, but it doesn't seem like it removes the username/password system completely.

Is this what you think I should do? Is it just to impractical to completely get rid of a cPanel password?

Thank-you for your help so far! :D
Actually what I think you should do is stop trying to re-invent the wheel (with a square one), but I digress - hehe. Yes, curl will allow you to do a post behind the scenes and return the resulting page. I like the way it works, it handles cookies, SSL and will return a page within a var for you to manipulate if needed. Hope it helps...
 

cardine

Member
May 17, 2006
14
0
151
Well I had been looking into it after you recommended it and when I got PHP recently updated to PHP5 it came with cURL :D

I came up with this solution:
To avoid showing the entire cPanel file I will just copy another one into the cPanel directory and rename it (ex. doaddftp.html would be copied and renamed to doaddftp111.html) and this copied file will only include the actual processing (so it will not have the cPanel links and pictures but it will do all of the cPanel functions).

So I then created this standard code off of their tutorial/demo:
PHP:
$ch = curl_init(); 

curl_setopt ($ch, CURLOPT_URL, "http://myusername:[email protected]:2082/frontend/x/subdomain/doadddomain1.html?rootdomain=mysite.com&domain=$username"); 
curl_setopt ($ch, CURLOPT_HEADER, 0); 

curl_exec ($ch); 

curl_close ($ch);
I have tried this script on a bunch of things and it has worked each time! :D
It is also completely secure as it never outputs the username/password or the url that it retrieved the info from.
I have to thank all of you (especially Webtiva) for showing me that my script was insecure and giving me an easy way to fix it. If it wasn't for you guys I'm sure I would've been hacked. :D