User 1 can log in with User 2 PW?

mealto

Well-Known Member
Oct 20, 2006
175
0
166
Just noticed that when we accessed domain.com/cpanel and mistakenly entered ID + PW from domain2.com, we were able to log in. The URL indicates that we are on domain.com:2083/frontend/x/sql/index.html but the database we are looking at is from domain2.com. When clicking on phpmyadmin on this page, we are taken to the database on domain2.com. Yikes! Both of these domains run on the same VPS. Is this normal?
 

HelloAdam

Well-Known Member
Nov 6, 2005
145
0
166
Hey,

Yes it is! You can go to any domain and type /cpanel and login with any username and password of any account on that server. However the account informtaion you put will be same on what ever domain you are using. So you will also see domain2 users information visting domain1 and domain500 website...

From,
Adam
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
If this bothers you, you can edit tweak settings and check the box:

When visiting /cpanel or /whm or /webmail with ssl redirect to the servers hostname.


This will require knowing the user name and pass unlike the original method
of automatically assuming the user name by visting the domain.

So, anyone visting any /cpanel url will be thrown to the host url without
being associated with a domain.
 

mealto

Well-Known Member
Oct 20, 2006
175
0
166
If this bothers you, you can edit tweak settings and check the box:

When visiting /cpanel or /whm or /webmail with ssl redirect to the servers hostname.
Would this add (even if it's slight) some security to the setup?

In fact, Cpanel default with the first 8 characters of the domain as the user ID. It would make sense to change this to add another layer of security then?
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
Yes, that would add a lot more security as anyone wishing to login would not get the assumed user name by vising the domain of the account. Instead they have to know what the account name is and the password.

I try to encourage users to create names other than the easily guessed names cPanel creates based off the domain name.
 

mealto

Well-Known Member
Oct 20, 2006
175
0
166
Thanks Jay. I was thinking the same thing a few weeks back. Now I know and they have been changed. Thanks!