CPA NEL: Major Security Hole. I Mean Big. Gives Root Password

Portal Home > Knowledgebase > Articles Database > CPA NEL: Major Security Hole. I Mean Big. Gives Root Password

Posted by CymraegWalesHosting, 05-16-2007, 03:11 PM
Hey. I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:ROOTPASSWORD@serverhostname.com This is a major problem and needs to be fixed stright away. Thanks, Nathaniel
Posted by layer0, 05-16-2007, 03:17 PM
I have not been able to reproduce this on any of my servers. This is just a guess, and I could be wrong, but is the root password the same as this account's password ??
Posted by CymraegWalesHosting, 05-16-2007, 03:20 PM
nop. My root password is 15 characters long. The account password Mine is only 6. This is how i do it. Go into the account CPanel, Goto backup ? Generate full back up > FTP transfer. Type in the accounts FTP detials so it will send to it self. Type in the accounts user/pass then under dir put /www/backups/. I can do this on any of my servers. Thanks,
Posted by Engelmacher, 05-16-2007, 03:24 PM
Are you creating this backup while logged in as the root user?
Posted by Patrick, 05-16-2007, 03:34 PM
Wait a second... is the password plain text or MD5? Edit: I tried the method described above to both the local server and a remote server, and the only files ever created under the home directory were: backup-5.16.2007_16-36-25_USERNAME backup-5.16.2007_16-36-25_USERNAME.tar.gz .pureftpd-upload.464b5e2f.15.5e24.3ad9c111 Non of these files contained any passwords for root. Last edited by Patrick; 05-16-2007 at 03:44 PM.
Posted by HostRefugee-Vince, 05-16-2007, 03:50 PM
What is the name of the file it creates that has the root information. I am trying to reproduce it, but it doesn't look like I can. All the files in the homedir look normal, I haven't opened each one-by-one to check the contents though.
Posted by AH-Sal, 05-16-2007, 03:51 PM
I have not run into this problem... Seems like you have a specific method and setup causing this maybe?
Posted by Patrick, 05-16-2007, 03:58 PM
backup-5.16.2007_16-36-25_USERNAME ^^- Contains: "s 1149321187" backup-5.16.2007_16-36-25_USERNAME.tar.gz ^^- Contains the obvious. .pureftpd-upload.464b5e2f.15.5e24.3ad9c111 ^^- Unreadable content.
Posted by jpetersen, 05-16-2007, 04:01 PM
So you posted here instead of contacting the vendor of the software themselves? Email security at cpanel dot net and let them know about it.
Posted by Dave W, 05-16-2007, 04:03 PM
I think you should change your root password and try it again to see if the problem follows you, that would rule out commonality as well. Personally I think it's good that people post here, an email to cpanel security in tandem would be a good idea but they generally dont work very fast.
Posted by jpetersen, 05-16-2007, 04:08 PM
I have yet to find a faster, more responsive vendor than cPanel when it comes to reporting security related issues.
Posted by whmcsguru, 05-16-2007, 04:10 PM
I find it VERY hard to believe that this is the case. CPanel would never be reckless enough to give out the root password like this. Regardless, ftp is bad for backups anyways. Rsync is much better. No messy passwords
Posted by Dave W, 05-16-2007, 05:05 PM
I still have a bad taste in my mouth from the hostgator attack. Yes Cpanel is very good but responses from the community seem to be a bit faster. Not to mention the fact that notification of any possible vulnerability is a must.
Posted by jpetersen, 05-16-2007, 05:42 PM
Actually there was 1 other vendor who was very fast and responsive, so what I said isn't totally true. Funny - the same thing was being discussed on the cPanel forums earlier this morning and today. I was around during that time and personally I think cPanel was about on top of things as anyone can hope for. I honestly can't think of what more they could have done as far as getting information out there about the vulnerability and the patch. The blame was quick to be shifted to cPanel naturally because they wrote the code. However, bad code does happen, and in the end their actions were the complete opposite of some vendors who will downplay a security issue (I've ran into several that have done this), or even worse, not even bother to address the issue at all. I agree notification is a must, and the vendor is who should be notified - especially if you use the very software you're telling everyone about that could have a critical vulnerability. cPanel is very sensitive to security issues and will handle the situation accordingly. I feel quite confident of that. However, they must be notified by someone who can reproduce the issue first.
Posted by plumsauce, 05-16-2007, 05:59 PM
Well of course. Who in their right mind would write code that did this? Things do not get written to files by themselves. This is not about bad programming. It is about bad design.
Posted by Dave W, 05-16-2007, 06:14 PM
The only thing that irked me about the incident was that bad patches were pushed out and it was a clumbsy process geting everything fixed. I really think they need to look into a streamlined notification system. It should check the OS / CPanel Build and notify according to the WHM escalation proceedure if the threat pertains to that certain server. This would go a long way in helping keep everyone up to date in an emergency situation. they could even roll out the patches / fixes via the notification system instead of requiring people to read through pages and pages of people complaining about the issue. That would make this a good PR move as well because the crowd would not band together and start rioting, well they might but at least it wont be as common.
Posted by jonwatson, 05-16-2007, 06:32 PM
Back to the topic. Can anyone reproduce this? I sure can't. And good point about the passwords being MD5'd. How could a file end up with the root password concatenated to it?
Posted by whmcsguru, 05-16-2007, 06:49 PM
Nope Upon further reflection, more of a hole is poked in this: Ummmmmm, this is NOT a CPANEL backup. I hate to tell you but it's not. CPanel backup formats do NOT look like this.
Posted by HostRefugee-Vince, 05-16-2007, 06:53 PM
The OP referred to a cPanel backup (not a backup that is setup through WHM). http://www.webhostingtalk.com/showpo...88&postcount=3 Creating backups directly from cPanel does create a file like this: backup-DATE-##-USERNAME.tar.gz
Posted by foobic, 05-16-2007, 07:32 PM
Are you perhaps referring to the links under "Previous Full Backups saved in Home Directory", in the form: username:password@domain.com/backup-date-time-account.tar.gz If so that password is the one you're currently logged in with, not stored in the backup file or the user's directory. If you're logged in as root you'll see the root password, but when the user logs in they see their own password.
Posted by Dave W, 05-16-2007, 07:50 PM
whatever details you put in the FTP login information will show up..
Posted by Scott.Mc, 05-16-2007, 09:57 PM
I hate to tell you but cPanel does create backups in that format.
Posted by whmcsguru, 05-16-2007, 09:59 PM
When the user generates a full backup, yes, I misread the original post.
Posted by Scott.Mc, 05-16-2007, 10:02 PM
You quoted a post which was not made by the OP and you explicitly pointed out that it was not a cpanel backup based on a file name?
Posted by layer0, 05-16-2007, 10:13 PM
I bet thats the key to the issue here.
Posted by CymraegWalesHosting, 05-17-2007, 03:25 PM
Found the problem, I was logged in as root override. Hence the Users username and the root password. Thanks,
Posted by Engelmacher, 05-17-2007, 03:30 PM
How did I guess? Might want to check these things out before going on an alarmist tear next time around.
Posted by whmcsguru, 05-17-2007, 04:01 PM
It's still not good that the ROOT password is stored, but yes, that is the key to things.

Add to Favourites Print this Article