Perhaps everyone already knows about this but I just found out about it...

Any website that is hosted on CPanel, if you type /bandwidth/ after the domain, you can view the bandwidth stats for that server. These stats also display ALL the domains hosted on that server!

Imagine your competitor just loading up your /bandwidth/ page and viewing all your hosted sites, they contact them all offering a better deal!

What I did is put a .htaccess file in /usr/local/bandmin/htdocs that blocks anyone not coming from my IP address. For those who have a CPanel server but don't understand .htaccess... here is the contents of the file. Remember to replace the x's with your IP address!

/usr/local/bandmin/htdocs/.htaccess
allow from xxx.xxx.xxx.xxx
deny from all

If you haven't already taken care of this problem I suggest you do ASAP. If you don't have a static IP, you can also setup password protection on it. Do a search for .htaccess on google:)

nice post. It shows all subdomains and all.. i was like wtf..

I hope webhost do disable access to it, i would hate for my information to been seen. how much transfer i use and all my hidden subdomains.. :O

Yeah, was aware of this and already taken care of it, but thanks for reminding me :)

Just as a side note, instead of blocking per IP. We just password protected it ;)

http://www.rochenhost.com/bandwidth/

It's been blocked most everywhere I know of


<edit> on second look, it's not blocked on many servers </edit>

thank god im not using cpanel ...lol

Well I decided to post this after deciding to check if I was the only one, and upon loading the bandmin pages for several large hosting companies I decided that I obviously wasn't the last person on earth to realize this!

ServerSonic - Does the bot know about this important issue yet? :D

Originally posted by rochen
ServerSonic - Does the bot know about this important issue yet? :D

Not yet;-) I took him down for a while but you guys were having so much fun, perhaps I should keep him online if not only for me to read the silly logs of people chatting. Can always use some humor when you havent slept in 20 hours!

Wow, that is kinda cool. I don't think you'd have to worry about a competitor stealing your customers through that though, unless of course your customers were not satisfied with the service that you're providing.

Well for the most part no but I'm not one of those hosts that offers way too low prices in the requests forum... I actually make sure that I can afford to offer service to my customers each month. All someone needs to do is offer few bucks off and some people are going to jump ship. Yeah, theyll probably be back later but I'd rather not give anyone this outlet you know?

Yeah that is true. I'm currently working up the prices for my hosting company, along with the design. I swear I'm about ready to just go out and hire someone. I get done with a design and then I realize it looks like total crap.

For those of you who want to password protect it here are instructions:

1) pico /usr/local/bandmin/htdocs/.htaccess
AuthUserFile /usr/local/bandmin/.htpasswd
AuthGroupFile /dev/null
AuthName "Bandwidth Monitor"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

Hit Ctrl+X then Y and then Enter

2) htpasswd -c /usr/local/bandmin/.htpasswd username
(where username is the username you want to create)
enter your password
enter your password again

Edit: If you dont have htpasswd installed on your server you can go to http://www.euronet.nl/~arnow/htpasswd/ to generate one. Then just use pico to edit /usr/local/bandmin/.htpasswd and paste the line of text that the site gave you into it:)

You should be all set at this point!:-D

Thanks for the heads up on this. I'll be passing this info onto our Server Admins to ensure the loophole is fixed, if it hasn't already been done.

Thanks, Jordan.

Seems like this should have been part of the WHM news or something. Or some form announcement.

LOLOL there are a lot of host that do not read this forum that are going to be pissed:D

Only if they find out. :rolleyes:

Ohhhhhhhh interesting.
My host must be rich since there's well over 100 sites hosted so it says:eek: .

Very interesting, indeed. Thanks for the heads up. :)

very interesting. this some kind of mistake or was intended?

but i dont think this information is much use to anyone. i could be wrong

*giggles* It's always been this way, guys... I found out about it on the cpanel.net forums like a year ago.

Although thanks for the reminder, I have had some fun surfing the 'net tonight. :D


:D Bailey

Just check out a few hosts to see what I could find, saw one that had almost 3200 sites (name based) on one IP.

it's not really a security risk as such, unless you have issues elsewhere. I suppose someone could write a script to collect the domains then probe them all for holes, anonftp etc.

Greg Moore

Very weird...

Going to /bandwidth/ doesn't go anywhere on my server.. I just get a 404. I don't remember it ever been on my server -- unless the person that setup the server deleted bandmin from it at setup...dunno
*shrug*

Excellent post ServerSonic and nice one on moving the .htpasswd file one dir. up.

A question though, for any who would like to respond...

Not being all the familiar with Bandmin, how is it, that it only shows the "Shared Virtual Host IP" for the Server itself, and not allocated Name Server IPs nor Dedicated?

And is anyone also using this method for the "manual" directory [ http://domain.com/manual/ ] or do most feel that area is not a bigee?

I've got people finding that directory through Search Engines. So I'm wondering how in heck it got in there -- definitely not my doing???

mine is .hta password protected , but when i put my password in , it doesnt work .... then again , im sure alan/splashhost did that for a reason

Forbidden
You don't have permission to access /bandwidth/ on this server.
----------------------------------------------------------------------------------

Does this mean the host has already fixed it from their end?

Yes Dsotmoon, either that or cpanel has corrected the problem.

Nope, Cpanel didn't fix it, You have to lock it yourself.

Originally posted by ServerSonic
Well for the most part no but I'm not one of those hosts that offers way too low prices in the requests forum... I actually make sure that I can afford to offer service to my customers each month. All someone needs to do is offer few bucks off and some people are going to jump ship. Yeah, theyll probably be back later but I'd rather not give anyone this outlet you know?

Thnk you for an idea :D
http://www.serversonic.com/bandwidth/

I'm not sure what your post is about sasha but if you are indicating that you want to see our hosted list then click away at that link, because its been password protected for quite some time now:)

Serversonic thanks for the guide on how to password protect it. Do you, or anyone else, know why I am getting the permission denied error when trying to write to the .htaccess file?

John

You probably will have to be root when you try that:)

might want to auth based on the system passwd file (might not, just an idea to verify against /etc/shadow or /etc/passwd, so that legit users can still see if they want to).

Personally i dont see the big deal, your users are gonna get spammed regardless if they're on the web.

You probably will have to be root when you try that

Thanks but I do have root access :) - I didn't, however, log in at the root, but through the actual account which has root access.

John

porcubine, thanks for your suggestion :)

John

Mine doesnt load.

after i apply it, now i get Internal Server Error
display. Weird. :)

ahhhh the problems with GUI's - everyone forgets whats going on under the skin ;)

Its amazing, Ive known this little 'feature' for almost two years, and there are still servers out there that havent protected it :blush:

hahaha u only found this out recently? this thing existed in cpanel since the start of time! muahahha if only u knew how many customers u lost to me.. ;)

THats neat,ill be typing /bandwidth after domains and see what happens :)

The Dude (Hehehehe) :)

Hmm ... I'm getting:

Forbidden
You don't have permission to access /bandwidth/ on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

--------------------------------------------------------------------------------

Apache/1.3.27 Server at www.domain.com Port 80

Any ideas?

p.s. SERVERSONIC - Your bandmin directory is not currently password protected.

Looks like it is already disabled :)

Hmm ... yeah - but I'd like to see it if possible, it just doesn't seem to want to let me. :-/

There are a couple lines in the httpd.conf that I had to take out to disable it.. Do a search in httpd.conf for /bandwidth/ and you should find it if it is just commented out.

Nope it's not - I checked that. Also, it works fine without the "protection" detailed above.