Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Users able to switch to other user accounts?

Discussion in 'General Discussion' started by jiska, Jul 25, 2018.

  1. jiska

    jiska Member

    Joined:
    Mar 19, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    We have a major security issue where a user can log in to cpanel with their account credentials and then switch to any of the other accounts on our shared WHM platform using the dropdown user box in the General Information tab.

    Does anyone know how we can disable this? Obviously a user logging in and then being able to edit DNS records of other customers is a major security hole
     

    Attached Files:

  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,472
    Likes Received:
    421
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you click that red icon top right, it should say something about you being logged in as root or Reseller to one of his owned accounts. That menu should not be viewable for anyone else, otherwise.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. jiska

    jiska Member

    Joined:
    Mar 19, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    It says "Information: You are logged in as a reseller or root user" but that is definitely not the case

    The account that the user is logging in to cpanel with was created by a reseller account, and the user account itself has no reseller access - am I missing something somewhere?
     

    Attached Files:

  4. jiska

    jiska Member

    Joined:
    Mar 19, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    This is the user that is logging in to cpanel
     

    Attached Files:

  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,472
    Likes Received:
    421
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In your first post screenshot, the blurred image does show a long list of accounts. Does this user own those accounts?

    You might try clearing your browser cache or try another browser entirely to rule out browser cache issues.

    Also, please do feel free to open a ticket directly to cPanel Technical Support if needed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. jiska

    jiska Member

    Joined:
    Mar 19, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    No.

    The reseller account owns all the accounts in that list. I have no idea why an individual account has access to view all of that account's reseller accounts.

    We've tried multiple browsers and multiple computers.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,472
    Likes Received:
    421
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You are logged in as root or Reseller according to that message.

    Change this setting;

    WebHost Manager »Server Configuration »Tweak Settings, System Tab:

    Code:
    Accounts that can access a cPanel user account: [?]
    This setting specifies who can access a user’s cPanel account. Account-Owner refers to the particular reseller that owns the user account. Note: Disabling root access here will also disable root’s access to the Branding Editor in WHM.
    To: cPanel User Only
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 Infopro, Jul 25, 2018
    Last edited: Jul 25, 2018
  8. jiska

    jiska Member

    Joined:
    Mar 19, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    I know that's what the message is saying, but I am 100% not logged in as a reseller or root.

    I'm logged in to CPanel with the end user account, who is not a reseller.
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,762
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    You're not by chance using the same password for the user level account as your root or reseller password?
     
    Infopro likes this.
  10. jiska

    jiska Member

    Joined:
    Mar 19, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    For some dumb reason, it looks like we are. Changing it for the reseller account fixed the issue - thanks heaps. Looks like I'll be having stern words with some staff.

    Bizarre, though, that cpanel ignores the logged in user and assigns privileges based on a password?
     
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @jiska,

    This behavior is controlled by the feature referenced in the earlier post, found under the System tab in WHM >> Tweak Settings:

    Accounts that can access a cPanel user account

    Per it's description:

    This setting specifies who can access a user’s cPanel account. Account-Owner refers to the particular reseller that owns the user account. Note: Disabling root access here will also disable root’s access to the Branding Editor in WHM.

    Thus, if you set this to "cPanel User Only", then the account selection drop-down box will not appear when logged into cPanel with the root password or the account owner (reseller) password.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. jiska

    jiska Member

    Joined:
    Mar 19, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    Thankyou for this. Changing that setting to "Cpanel user only" fixed the problem. Odd that this is not the default setting.

    Appreciate your help.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice