The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Webadmin.php, possible fix ?

Discussion in 'General Discussion' started by GloVine, Oct 16, 2005.

  1. GloVine

    GloVine Member

    Jul 5, 2004
    Likes Received:
    Trophy Points:

    Ive noted that a user is using a file called webadmin.php to look through the entire server and its directories. It doesnt display all files, and if it does display one, it doesnt display all of its contents, however im concerned that this could be a security risk to the server since you are able to survey the root folders and their permissions.

    Ive disabled items like phpinfo functions on the server, but would like to disable webadmin from being used or at least, any script that opens and displays directories outside of their account.

    open_basedir Protection is enabled.

    I can easily remove the account in question, but it doesnt really stop anyone from just reuploading to another account.

    Any ideas?
  2. chirpy

    chirpy Well-Known Member

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    You cannot prevent such scripts from being used, they're part of shared web hosting. You can restrict php to a degree by disabling certain functions, enabling safemode, using mod_openbasedir and using phpsuexec. However, they'd probably then just use a perl CGI script and get around all of that easily.

    The only realistic solution (apart from using phpsuexec which is probably the one option that can make a difference) is to ensure that you have good tight directory and file permissions on the server.

    If it's an issue for you or a customer, then you'd have to look at using VPS hosting for separate clients as it makes each account more discrete.
  3. brianoz

    brianoz Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You could also ask the customer what they are doing and what they wanted to know, citing that there are privacy problems with them just trying to browse through the whole system.

    If the permissions are reasonable there's actually very little they can find out, except perhaps how many other accounts there are on the server.

    Finally, you could put a mod_security rule in to block webadmin.php - blocking it by name is easily worked around (although it would give them a good scare) but if you can work out what arguments web admin uses you may be able to come up with a more generic block for it that isn't based on the script name. These blocks can be worked around but do serve to put the user on notice that you don't like them checking out the server too much.

Share This Page