New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is cPanel really secure?
To investigate a pwn I logged into one of my users cPanel and found these things. Although some of these are very old issues nobody cares about and some of you are well aware of them.
- If your user have any vulnerable scripts that can change .contactemail or.cpanel/contactinfo file and a password reset would be enough to gain access. Although administrator can decide to disable password reset with mail. But shouldn't this only be allowed to cpsrvd/any other cPanel daemon?
- I can get complete OS info, other resellers username and their owned users from .cPanel folder from a user account that is not visible in the UI.
- .lastlogin can easily be tampered from file manager/vulnerable scripts.
- I can tamper with other UI interface and storage data elements to completely hide my footprints and keep my access.
These are only few, I believe LET experts know more ways to exploit a cPanel user account. But don't you think cPanel should at least keep some control to itself like it does in other ways(hmmm)...
Thanked by 1JasonM
Comments
If you want convenience, install cPanel.
If you want security, delete cPanel and:
If you want to surprise anyone new to things, SSH into a dreamhost server (not cPanel) and cat / etc / passwd (cloudflare hates that without spaces). It's perfectly normal and acceptable for a privileged linux user to be able to access that file, but almost anyone new to things will jump and say "Vulnerability discovered. I can list every user on this box."
This to say that while you may have discovered some things, some others may simply be normal and not strike you as acceptable at first glance. Jailshell is a good solution to most of that though, but that's not a "normal" standard, otherwise it would be the default behavior of the Linux shell for a privileged user.
As for cPanel password resets, that's stored in /var/cpanel/users and the user's scripts/filemanager can't change that. But if the user has cPanel access, they can edit their contact email which will trigger a function that edits that file appropriately. Of course, once you have cPanel access... you have cPanel access, you don't need to try to get it.
It's normal for a privileged user to be able to edit their bash history and things like that. But login logs above the user level exist so a "lastlogin" file owned by the user would just be a reference point, not a serious security file. In fact, ALL cPanel access logs are above the user level. User can't edit those.
If you're really just concerned that someone can log in to cPanel as you and you not be aware of it, enable 2FA.
If you want a real vulnerability: Most people don't know that their cPanel contact email is created by the provisioning module (WHMCS, etc) and if they change their billing email, they are not changing their cPanel contact email. Most don't even know it's a thing, so that could be a forgotten detail that is later used against them by an attacker.
Personally, I don't let cPanel send password resets. I filter them out in rspamd.
You purchase classic cPanel or DirectAdmin shared hosting. You host there 10 websites on 1 account (not reseller one, regular shared one) (for example) 1 website hacked -> goodbye all websites.
That's how the things works. This is awful, and i do not understand why the things not fixed, limited, restricted, etc.
I found out only 2 panels that does not has so big impact if one website hacked.
It's hestiaCP, and CyberPanel. Because each website isolated. CyberPanel absolute winner here, because they creating separate user for each website.
That's my few cents. I wish to read messages below mine about how things going in cPanel and how to prevent hacking all websites on 1 shared account.
P.S. you can google for web-shells in github, and try it yourself, you will see how things really bad.
CyberPanel can easily get pwned. Like foo and root access. Didn't looked that much into HestiaCP yet but found 3 bugs on first run.
Well that might not be a big issue but any pwn attempt starts with information gathering. The more you can get the more you chances increase.
Afaik there's way to disable that form. I have seen providers that don't have password resets. You don't need to deal with rspamd at all for this.
I gave my dollos to Purple Daddy. Can't install cPanel anymore. My pockets empty AF
Truthfully I use it to filter out more than just that, I don't like cPanel sending any notifications for any reason.
Cyberpanel is working currently with rack911 to fix issues
Yes but there are still many issues here and there that is not discovered (yet) by Rack911. Recently an independent researcher released an exploit that passed disclosure timeline. After disclosure it was quickly patched leaving certain things broken. There is still some vulnerability in CyberPanel that can help gaining root access with help from other vulnerable softwares in supply chain.
The most secure Web Control Panel is KeyHelp.
https://www.keyhelp.de/en/
Instead of just saying something most secure, it will be helpful to include info on what you found path breaking to support your statement.