Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Webadmin.php, possible fix ?

Discussion in 'General Discussion' started by GloVine, Oct 16, 2005.

  1. GloVine

    GloVine Member

    Jul 5, 2004
    Likes Received:
    Trophy Points:

    Ive noted that a user is using a file called webadmin.php to look through the entire server and its directories. It doesnt display all files, and if it does display one, it doesnt display all of its contents, however im concerned that this could be a security risk to the server since you are able to survey the root folders and their permissions.

    Ive disabled items like phpinfo functions on the server, but would like to disable webadmin from being used or at least, any script that opens and displays directories outside of their account.

    open_basedir Protection is enabled.

    I can easily remove the account in question, but it doesnt really stop anyone from just reuploading to another account.

    Any ideas?
  2. chirpy

    chirpy Well-Known Member Verifed Vendor

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    You cannot prevent such scripts from being used, they're part of shared web hosting. You can restrict php to a degree by disabling certain functions, enabling safemode, using mod_openbasedir and using phpsuexec. However, they'd probably then just use a perl CGI script and get around all of that easily.

    The only realistic solution (apart from using phpsuexec which is probably the one option that can make a difference) is to ensure that you have good tight directory and file permissions on the server.

    If it's an issue for you or a customer, then you'd have to look at using VPS hosting for separate clients as it makes each account more discrete.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. brianoz

    brianoz Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You could also ask the customer what they are doing and what they wanted to know, citing that there are privacy problems with them just trying to browse through the whole system.

    If the permissions are reasonable there's actually very little they can find out, except perhaps how many other accounts there are on the server.

    Finally, you could put a mod_security rule in to block webadmin.php - blocking it by name is easily worked around (although it would give them a good scare) but if you can work out what arguments web admin uses you may be able to come up with a more generic block for it that isn't based on the script name. These blocks can be worked around but do serve to put the user on notice that you don't like them checking out the server too much.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice