Users able to switch to other user accounts?

jiska

Member
Mar 19, 2006
9
0
151
We have a major security issue where a user can log in to cpanel with their account credentials and then switch to any of the other accounts on our shared WHM platform using the dropdown user box in the General Information tab.

Does anyone know how we can disable this? Obviously a user logging in and then being able to edit DNS records of other customers is a major security hole
 

Attachments

jiska

Member
Mar 19, 2006
9
0
151
It says "Information: You are logged in as a reseller or root user" but that is definitely not the case

The account that the user is logging in to cpanel with was created by a reseller account, and the user account itself has no reseller access - am I missing something somewhere?
 

Attachments

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
In your first post screenshot, the blurred image does show a long list of accounts. Does this user own those accounts?

You might try clearing your browser cache or try another browser entirely to rule out browser cache issues.

Also, please do feel free to open a ticket directly to cPanel Technical Support if needed.
 

jiska

Member
Mar 19, 2006
9
0
151
No.

The reseller account owns all the accounts in that list. I have no idea why an individual account has access to view all of that account's reseller accounts.

We've tried multiple browsers and multiple computers.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
The reseller account owns all the accounts in that list.
You are logged in as root or Reseller according to that message.

Change this setting;

WebHost Manager »Server Configuration »Tweak Settings, System Tab:

Code:
Accounts that can access a cPanel user account: [?]
This setting specifies who can access a user’s cPanel account. Account-Owner refers to the particular reseller that owns the user account. Note: Disabling root access here will also disable root’s access to the Branding Editor in WHM.
To: cPanel User Only
 
Last edited:

jiska

Member
Mar 19, 2006
9
0
151
I know that's what the message is saying, but I am 100% not logged in as a reseller or root.

I'm logged in to CPanel with the end user account, who is not a reseller.
 

jiska

Member
Mar 19, 2006
9
0
151
For some dumb reason, it looks like we are. Changing it for the reseller account fixed the issue - thanks heaps. Looks like I'll be having stern words with some staff.

Bizarre, though, that cpanel ignores the logged in user and assigns privileges based on a password?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Bizarre, though, that cpanel ignores the logged in user and assigns privileges based on a password?
Hello @jiska,

This behavior is controlled by the feature referenced in the earlier post, found under the System tab in WHM >> Tweak Settings:

Accounts that can access a cPanel user account

Per it's description:

This setting specifies who can access a user’s cPanel account. Account-Owner refers to the particular reseller that owns the user account. Note: Disabling root access here will also disable root’s access to the Branding Editor in WHM.

Thus, if you set this to "cPanel User Only", then the account selection drop-down box will not appear when logged into cPanel with the root password or the account owner (reseller) password.

Thank you.
 

jiska

Member
Mar 19, 2006
9
0
151
Thankyou for this. Changing that setting to "Cpanel user only" fixed the problem. Odd that this is not the default setting.

Appreciate your help.