WHM PHP access problem - vulnerability?

Specks

Well-Known Member
Jul 3, 2004
68
0
156
I'm programing a host manager for my site using the PHP library. I was testing the library playing around with the functions and a few things came up that concerned me.

  1. The "listpkgs" function not only lists my packages but everyone elses packages too.
  2. Why doesn't the PHP library have the same functionality as the Perl library does? There are a few functions missing.
    [/list=1]

    I don't need to see what other resellers are doing on my server. The fact that I can see them means that they can see me too. I don't want the other users/resellers to see what I'm doing and I really don't care as to what they're doing. Not to mention that this is extra data to deal with. I can determine the number of individuals on the server Im on and their usernames just by asking for this information through the library. This should be information that the host really doesn't want me to see. I think this is a vulnerability that needs to be addressed.
 

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
Originally posted by networxhosting
Things like this should be sent directly to [email protected] and not posted publically in a forum (for obvious reasons; could give some unethical people some "ideas")

- domer
I am not sure how it rates as a vulnerability (but then again specks did put a question mark after the title).

If you think it is a problem with the design of the cpanel package, I suggest that you create a bug report.
 

Specks

Well-Known Member
Jul 3, 2004
68
0
156
I think it rates as one since half the battle of getting in to a system is getting the user name. The user name is prepended to each package name to identify that package to the user. Don't chide me for exposing a possible vulnerability. cPanel should have thought this function through and the way I see it, they didn't. I've seen worst vulnerabilities posted to this message board. Ones that would allow a user to gain control of a server that has cPanel installed unless they've closed it.
 

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
Originally posted by Specks
Don't chide me for exposing a possible vulnerability.
I wasn't, but then again you probably weren't directing that at me :cool:

I am still not sure (I haven't tested it) how you can get the information without a valid logon. If you have a valid logon, then there are certainly more mischevious things that can be done besides listing web user account names in a shared environment.

No need to go round and round with this issue, I understand your point. I still think that filing a bug report is the best way to send a message to cpanel that you do not appreciate this "feature".
 

Specks

Well-Known Member
Jul 3, 2004
68
0
156
I went ahead and did what you (SarcNBit) and networxhosting had suggested. J. Nick Coston replied to me that my point was moot so I'll shut up about it and wait till they get bitten in the arse on this issue.