Where has failurl moved to?

[MaraBlue]

I'm looking to customize/change the

failurl

for (failed) logins. As recently as WHM 11.28 the failurls file was located in /var/cpanel/failurls, but it's not there now in 11.32.3. I understand there was a security issue, from cPanel HTTP Response Splitting Vulnerability - cPanel Inc.

The ‘failurl’ parameter is not used in the default cPanel UI. Custom login pages and forms used by third parties do make use of this parameter. Beginning in cPanel 11.25.0 Build 43786 only ‘failurl’ values whitelisted by the system administrator will be processed by cPanel.

But I can't find anywhere to whitelist failurl.

 

[cPanelKenneth]

You have to create /var/cpanel/failurls. It is not created by cPanel & WHM.

 

[MaraBlue]

You have to create /var/cpanel/failurls. It is not created by cPanel & WHM.

Ahhhhh, I can do that. What syntax should it use? In all the docs, I haven't found an example, etc.

TIA!

OK, I take that back. I found this http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/FailUrl which lists:

Entries in this file must meet the following requirements:

Entries must be an exact match. Dynamic URLs are not acceptable.
Example: http://example.com/index.php?failed=1
Dynamic content on the login page must be passed via hidden POST variables. Using the GET query string will fail because it will not match any entry in the failurls file exactly.

But my question on syntax still remains. There's an example of the URL, but not how it should be matched up to which login failurl, etc. I'm hesitant to just guess what cPanel is looking for here.

 

[cPanelKenneth]

The entry in the file must match exactly the URL you want the user redirected to.

For example if I want to redirect users to the cpanel website, I would place this in the file:

http://www.cpanel.net

The document you point to could certainly use some help. The example URL is an example of what not to do.

Update:

Fixed phpBB's attempt to help me format urls.

 

[MaraBlue]

The entry in the file must match exactly the URL you want the user redirected to.

For example if I want to redirect users to the cpanel website, I would place this in the file:

http://www.cpanel.net

The document you point to could certainly use some help. The example URL is an example of what not to do.

Update:

Fixed phpBB's attempt to help me format urls.

Ahhhhh, OK, then it's easier than I first thought. I was thinking there would be a way to specify different failurls for different login types (webmail, cpanel, whm). But this works, I can deal with an all-in-one solution.

Thanks!

 

[MaraBlue]

Yeah....it's not working. I created the file "failurls" in /var/cpanel, owned by root (like the other files in that directory). Added a single url on the first line, saved file. Restarted cPanel with /usr/local/cpanel/startup

Now I get the Windows authentication login box, and then it directs to the old cPanel failed login page. Not what I wanted.

 

[cPanelKenneth]

The failurl feature only works with custom login forms. The form must supply the failurl parameter and value as part of the form submission. Something like:

<input type="hidden" name="failurl" value="http://example.com" />

Like I said in my earlier post, the failurls document could use some help

 

[MaraBlue]

Like I said in my earlier post, the failurls document could use some help

Yeah, it could.

 

[cPanelKenneth]

Yeah, it could.

Just to be clear, I notified documentation that document needs improvement.

If there are other questions related to this functionality, please feel free to ask. I'll answer them to the best of my ability.

 

[MaraBlue]

Thanks, I appreciate that!

 

[zegaroid]

First of all Thanks for the info above! i just have an additional question to this thread. Im just new to this so please bear with me...

Upon failure logging in, what i want is to show the error message only in my website not in cpanel like ex: www.domain.com:2082/xxxxx?failed=1. could that be possible?

It only works for me if you type username only, but if you add password, it starts redirecting to cpanel error login.

Please help. Thanks

 

[zegaroid]

Ok, so im using this code, but it takes me to cpanel error page. what i want is to show the error in my website itself. Please help. Thanks!

<?php
if($_POST['username'] && $_POST['pass'] && !($_GET['failed'] == "1")) {
    $port = $_POST['port']; // sets the port number to login to
    switch($port) {
      case '2082': // cPanel
      case '2086': // WHM
      case '2095': // Webmail
        $protocol = 'http://mydomain.com:';
        break;
      case '2083': // Secure cPanel
      case '2087': // Secure WHM
      case '2096': // Secure Webmail
        $protocol = 'https://mydomain.com:';
        break;
    }
  $redirectlocation = $protocol.$port.'/login/?user='.$_POST['username'].'&pass='.$_POST['pass'].'&failurl='.$_POST['failurl'];
  header ("Location: ".$redirectlocation);
} else {
  $error = 1;
  header ("Location: ".$_POST['failurl']);
}
?>

and this for my form:

<?php
echo '<input type="hidden" name="failurl" value="http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?failed=1">';
?>
<?php

 

[cPanelKenneth]

zegaroid, it seems like you are wanting to write a wrapper around our authentication system. I suggest you post to our developers forum ( cPanel Developers ) and read our developer documentation: cPanel & WHM's SDK.