The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

User 1 can log in with User 2 PW?

Discussion in 'General Discussion' started by mealto, Nov 13, 2006.

  1. mealto

    mealto Well-Known Member

    Joined:
    Oct 20, 2006
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Just noticed that when we accessed domain.com/cpanel and mistakenly entered ID + PW from domain2.com, we were able to log in. The URL indicates that we are on domain.com:2083/frontend/x/sql/index.html but the database we are looking at is from domain2.com. When clicking on phpmyadmin on this page, we are taken to the database on domain2.com. Yikes! Both of these domains run on the same VPS. Is this normal?
     
  2. HelloAdam

    HelloAdam Well-Known Member

    Joined:
    Nov 6, 2005
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Hey,

    Yes it is! You can go to any domain and type /cpanel and login with any username and password of any account on that server. However the account informtaion you put will be same on what ever domain you are using. So you will also see domain2 users information visting domain1 and domain500 website...

    From,
    Adam
     
  3. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    If this bothers you, you can edit tweak settings and check the box:

    When visiting /cpanel or /whm or /webmail with ssl redirect to the servers hostname.


    This will require knowing the user name and pass unlike the original method
    of automatically assuming the user name by visting the domain.

    So, anyone visting any /cpanel url will be thrown to the host url without
    being associated with a domain.
     
  4. mealto

    mealto Well-Known Member

    Joined:
    Oct 20, 2006
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Would this add (even if it's slight) some security to the setup?

    In fact, Cpanel default with the first 8 characters of the domain as the user ID. It would make sense to change this to add another layer of security then?
     
  5. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Yes, that would add a lot more security as anyone wishing to login would not get the assumed user name by vising the domain of the account. Instead they have to know what the account name is and the password.

    I try to encourage users to create names other than the easily guessed names cPanel creates based off the domain name.
     
  6. mealto

    mealto Well-Known Member

    Joined:
    Oct 20, 2006
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Thanks Jay. I was thinking the same thing a few weeks back. Now I know and they have been changed. Thanks!
     
Loading...

Share This Page