The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

warrning for everyone about major bug in cpanel/whm that will not be fixed soon.

Discussion in 'General Discussion' started by naox, Apr 3, 2005.

  1. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    I posted this bug into bugzilla 3-4 times in the past year. Absolutly no fix.

    I warn everybody about major security fix in cpanel that might allow to steal any password really.

    Problem is that if you have 2 servers with dns clustering. Example

    on server no 1 you got account login admin, where you got your hosting site www.hostingsite.com

    on server no 2 someone else have account. So now he types hostingsite.com on park domain in his cpanel. voila! now www.hostingsite.com points to his account, and with a little skill he can intercept many.. many passwords.

    Why? Because cpanel when parking domain dont check if domain is allready present in dns zone. It only checks if it is in httpd.conf at other user.

    Easy fix you would say. Dont allow parking of domains that allready are in dns zones. But no one cares you know. fix problably wont be maked in 5-6 years, because it haven't been in last year or more when I first noticed a bug.

    Its just a warning for everyone
     
  2. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    The fix would be a bit more involved, since whm transfers allow you to transfer accounts between clustered dns servers, so the not allowing the account to be setup, full stop, would not be ideal.

    You do also need to know the accounts that are hosted on the other server to make use of this but I would agree that it should be corrected, possibly limited to root transfers or some other acl limitation.
     
  3. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    I dont see real connecton between needed 'do not allow park domains that are in dns from cpanel' and accoutn transfer from whm. It is in fact quite separate...

    its quite simple. users from cpanel - addon domains/parked domains sould not be allowed to park domains that have dns zones on local dns server

    at current situation ANY user on your second clustered server can hijack your domain or any other at other clustered server. Do you think about it as little bug? :rolleyes:
     
    #3 naox, Apr 3, 2005
    Last edited: Apr 3, 2005
  4. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Completely seperate, no I don't think so, not really.
    That's why I suggested the requirement for an acl to detect if the domain is being added by the root user or not - The processes for creating accounts/parks and anything else that creates accounts and dns zones are highly relevant to each other, as they use the same the same code and acl checks.

    Whats to stop someone not parking the domain, but a reseller to create a new account? Its much the same as root transferring the account, as the account is created, much the same as it would be if you logged into whm and created it. Its not just limited to parked domains.
     
  5. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    then parking domain from cpanel need to have pre-check before starting this all in one code
     
  6. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    The best thing to do is as you have done, log a bugzilla and wait for the devs to resolve the problem. Look objectively into having the issue resolved, rants seldom do any good, following the bugzilla requirement and letting the dev team know is the best that you can do.

    Where is the bugzilla report? If you post the link to it, maybe people will vote on it.
     
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    If its a matter you wish to bring to their attention, forward the bugzilla ID to security@cpanel.net
     
  8. cPanelBilly

    cPanelBilly Guest

    Do NOT do this, forwarding bugs that are not of a security concern to security@ will get your email banned from the address.
     
  9. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    My bad. I just thought if there was enough concern from the individual, it may have been the best way to get the attention of the devs.
     
  10. cgoleman

    cgoleman Member

    Joined:
    Nov 15, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Salt Lake City, UT
    Did I miss something or isn't this "a security concern" ?
     
  11. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    I can't see the bugzilla additions regarding this, can the poster let us know which bugzilla id to look at, also did you send the bug to security@cpanel.net too?

    I do think it's a security issue, if it indeed exists, but a minor one that only servers in dns clusters would be vulnerable to. Still needs to be fixed if it's true.
     
  12. RAIS2

    RAIS2 Well-Known Member

    Joined:
    Jul 16, 2004
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    As posted above by a cPanel dev and staff member, doing so can get your email blacklisted (banned) from the email address.

    As for it being a security threat, I dont think that it really is. Any ( Good and experienced ) hacker can get that information by running scripts that are on the server, all he needs is an account with you. Although there should be some checks to ensure that the domain is not installed on your network of clustered servers.
     
  13. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    I think this case qualifies for a legitimtate security@cpanel.net email to point to the bugzilla entry, if the bug actually does exist. ;)

    But the question is, has the poster actually posted the bugzilla he has claimed he has, as he hasn't been back to verify that thus far.
     
  14. RAIS2

    RAIS2 Well-Known Member

    Joined:
    Jul 16, 2004
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    Case In Point
     
  15. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Not really case in point, cPanel Billy imho has mis read this thread.

    It's a security issue to me, however you may classify it, so ignoring the thread when a security issue is announced and not taking it any further, imho is a bit irresponsible and saying that you will be banned from emailing cPanel if you do email them about it is also irresponsible and far from customer service acceptable standards, at least where I come from.

    Thank you.
     
  16. WillyMore

    WillyMore Active Member

    Joined:
    May 22, 2002
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Is this true?
     
  17. Onyx

    Onyx Member

    Joined:
    May 28, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Any word on if this bug can be verified and/or has been fixed?
     

Share This Page