Author Topic: Bug: Imported cpanel account with FTP path set outside of user home dir . . .  (Read 4805 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
There is potentially serious bug when importing cpanel account backup.

Scenario:

Root account can edit ftp account homedir folder in pure-ftpd conf file.

For example, account home folder is  /home/account/ftpaccount but  can be edited into / *

Pack such account and import into CWP and said ftp account now have read only access to root directory /. Potential attacker can prepare such account and gain access to all user files on new server.
Cpanel does necessary checks and fixes  such "errors" automatically.
« Last Edit: April 16, 2020, 02:32:55 PM by legija »

I'd suggest that this is actually a flaw of WHM/cPanel and any root of any system can pretty much do as they please.
Not sure how the impetus is on CWP to fix this particular issue. I guess CWP "could" take the path and change it from absolute to relative, to the user's home directory but that may well create more issues than it fixes.  :-\
« Last Edit: April 16, 2020, 02:48:19 PM by ejsolutions »

Offline
*
If you get such packed backup to import into CWP  server then its of course CWP issue, no ?
In any case this is serious security problem.

In any case this is serious security problem.
Caused by the bad actions of the root user on cPanel, in your example.

Offline
*
In any case this is serious security problem.
Caused by the bad actions of the root user on cPanel, in your example.

My point exactly.
You get customer with such prepared backup, who innocently says "hey can you import my cpanel backup" . ..

So your expectation is for CWP to scan all files from a backup generated on a different system and fix security flaws. That's unreasonable. IMHO.
IF, however all services, such as FTP are run in a chroot environment then it becomes a moot point i.e. restricted access by design.
« Last Edit: April 16, 2020, 07:20:29 PM by ejsolutions »

Offline
*
Chroot is by default on, but that doesn't prevent such account from read access.
I don't expect anything, I just pointed out that there is problem which can be possibly fixed by reworking cpanel import scripts, or simple warning displayed about possible security threat.

I'm very happy so far with CWP, guys behind it must be supported financially and paying for CWP Pro license is least of what any of us should do.
So your expectation is for CWP to scan all files from a backup generated on a different system and fix security flaws. That's unreasonable. IMHO.
IF, however all services, such as FTP are run in a chroot environment then it becomes a moot point i.e. restricted access by design.


I don't expect anything, I just pointed out that there is problem which can be possibly fixed by reworking cpanel import scripts, or simple warning displayed about possible security threat.
Fair enough. Sorry if I seemed like I was adversarial - I play the Devil's Advocate, from time to time. ;)
You are quite right to point out possible issues.
..must be supported financially and paying for CWP Pro license is least of what any of us should do.
That's why I bought two licenses, after donating a small amount whilst I first tried it out. I only have one 'live' client website of any consequence on CWP though.

Offline
*****
Thanks for commenting, this will be solved in our next version!