MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
I'm looking to customize/change the
Code:
failurl
for (failed) logins. As recently as WHM 11.28 the failurls file was located in /var/cpanel/failurls, but it's not there now in 11.32.3. I understand there was a security issue, from cPanel HTTP Response Splitting Vulnerability - cPanel Inc.

The ‘failurl’ parameter is not used in the default cPanel UI. Custom login pages and forms used by third parties do make use of this parameter. Beginning in cPanel 11.25.0 Build 43786 only ‘failurl’ values whitelisted by the system administrator will be processed by cPanel.
But I can't find anywhere to whitelist failurl.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
You have to create /var/cpanel/failurls. It is not created by cPanel & WHM.
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
You have to create /var/cpanel/failurls. It is not created by cPanel & WHM.
Ahhhhh, I can do that. :) What syntax should it use? In all the docs, I haven't found an example, etc.

TIA!

OK, I take that back. I found this http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/FailUrl which lists:

Entries in this file must meet the following requirements:

Entries must be an exact match. Dynamic URLs are not acceptable.
Example: http://example.com/index.php?failed=1
Dynamic content on the login page must be passed via hidden POST variables. Using the GET query string will fail because it will not match any entry in the failurls file exactly.
But my question on syntax still remains. There's an example of the URL, but not how it should be matched up to which login failurl, etc. I'm hesitant to just guess what cPanel is looking for here.
 
Last edited:

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
The entry in the file must match exactly the URL you want the user redirected to.

For example if I want to redirect users to the cpanel website, I would place this in the file:

Code:
http://www.cpanel.net
The document you point to could certainly use some help. The example URL is an example of what not to do.

Update:

Fixed phpBB's attempt to help me format urls.
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
The entry in the file must match exactly the URL you want the user redirected to.

For example if I want to redirect users to the cpanel website, I would place this in the file:

Code:
http://www.cpanel.net
The document you point to could certainly use some help. The example URL is an example of what not to do.

Update:

Fixed phpBB's attempt to help me format urls.
Ahhhhh, OK, then it's easier than I first thought. :) I was thinking there would be a way to specify different failurls for different login types (webmail, cpanel, whm). But this works, I can deal with an all-in-one solution.

Thanks!
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
Yeah....it's not working. I created the file "failurls" in /var/cpanel, owned by root (like the other files in that directory). Added a single url on the first line, saved file. Restarted cPanel with /usr/local/cpanel/startup

Now I get the Windows authentication login box, and then it directs to the old cPanel failed login page. Not what I wanted.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
The failurl feature only works with custom login forms. The form must supply the failurl parameter and value as part of the form submission. Something like:

Code:
<input type="hidden" name="failurl" value="http://example.com" />
Like I said in my earlier post, the failurls document could use some help :)
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Yeah, it could.
Just to be clear, I notified documentation that document needs improvement.

If there are other questions related to this functionality, please feel free to ask. I'll answer them to the best of my ability.
 

zegaroid

Registered
Jun 15, 2012
2
0
1
cPanel Access Level
Reseller Owner
First of all Thanks for the info above! i just have an additional question to this thread. Im just new to this so please bear with me...

Upon failure logging in, what i want is to show the error message only in my website not in cpanel like ex: www.domain.com:2082/xxxxx?failed=1. could that be possible?

It only works for me if you type username only, but if you add password, it starts redirecting to cpanel error login.

Please help. Thanks:)
 

zegaroid

Registered
Jun 15, 2012
2
0
1
cPanel Access Level
Reseller Owner
Ok, so im using this code, but it takes me to cpanel error page. what i want is to show the error in my website itself. Please help. Thanks!

Code:
<?php
if($_POST['username'] && $_POST['pass'] && !($_GET['failed'] == "1")) {
    $port = $_POST['port']; // sets the port number to login to
    switch($port) {
      case '2082': // cPanel
      case '2086': // WHM
      case '2095': // Webmail
        $protocol = 'http://mydomain.com:';
        break;
      case '2083': // Secure cPanel
      case '2087': // Secure WHM
      case '2096': // Secure Webmail
        $protocol = 'https://mydomain.com:';
        break;
    }
  $redirectlocation = $protocol.$port.'/login/?user='.$_POST['username'].'&pass='.$_POST['pass'].'&failurl='.$_POST['failurl'];
  header ("Location: ".$redirectlocation);
} else {
  $error = 1;
  header ("Location: ".$_POST['failurl']);
}
?>
and this for my form:

Code:
<?php
echo '<input type="hidden" name="failurl" value="http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?failed=1">';
?>
<?php