Results 1 to 3 of 3
  1. #1
    Join Date
    May 2013
    Location
    India
    Posts
    747

    cPanel account restore - possible security risk

    Hello,

    I am not sure if it is already discussed. But I feel this should be fixed asap ( must of simple for cPanel guys ).

    Today I have been playing with my test cPanel server. I thought to have some look into the reseller settings today and I found a serious anomaly while my works. On now..what it is…

    I know very rarely we need the “All Features (warning: total and complete access)” privilege granted for a reseller. Because that privilege will give root level access to the reseller on the server, which is not allowed. So generally no-one with a root level WHM access is not able to create a reseller with all privileges. So it is obvious that anyone with root privilege ( like VPS owners ) can create “all privilege” reseller. Now what happened when we restore such a reseller to a server? What changes does it make compared to a normal user or a reseller without any privilege? So far I couldn’t find any. I couldn’t find any specific messages or difference in restore process for a normal user, reseller without “all” privilege” or with “all” privilege. I could find common message only with any of them ( in fact the admins I found don’t worry about the restore messages until they find any specific error while restoration ).

    <<snipped>>
    Last edited by bear; 10-21-2013 at 11:04 AM.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    This is a well known issue. This has been known for years and any admin who works with cpanel servers needs to know this.

    First off, restoring an untrusted backup without investigating it is a horrible idea, there is multiple ways you can compromise a server with it. They are building an untrusted backup restore system.

    http://forums.cpanel.net/f185/restor...es-347802.html

    Second, you should always restore with --skipres to keep that 'all' feature from being added.

    root@server [/home]# /scripts/restorepkg
    warn [restorepkg] Missing or invalid argument
    restorepkg [--force] [--skipres] [--override] [--ip=(y|n|Custom IP)] -- [cpuser|/path/to/cpuser-file]

    To specify a dedicated IP for a restored account, the "--ip" option requires an argument of "y" for yes,
    or "n" for no. Additionally, an IP argument may be specified to set the desired dedicated IP.

    Security Note: The Backup Restoration System is not designed to handle untrusted data.
    There are a variety of ways a malicious user can add or escalate privileges
    to an account backup package. cPanel, Inc. strongly recommends that you
    do not restore data from anyone you would not trust with root access
    to the server.

    cPanel, Inc. is designing a restoration system that is intended to work with
    untrusted data.

    For more information, please see: http://go.cpanel.net/insecurerestoreaccount

    If you choose to ignore this warning, you should use --skipres to minimize the risk.
    root@server [/home]#
    If a user is restored with the all priv, they have ROOT access to the server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    May 2013
    Location
    India
    Posts
    747
    Thank you very much for the reply Steven. But I see most people are not very careful doing restore, especially doing bulk account restore. Also skip reseller priv option is not available from WHM where most medium techie / sales level people use front-end to restore accounts. And it is very interseting to know that this is being here as a known issue for a few months. Anyway glad to hear that cPanel is working on it.

Similar Threads

  1. any security risk to use /home directory for cpanel backup ?
    By monitor2000com in forum Dedicated Server
    Replies: 12
    Last Post: 11-30-2009, 05:41 AM
  2. high risk & low risk merchant account specialist needed
    By gcorpz in forum Employment / Job Offers
    Replies: 1
    Last Post: 05-18-2006, 10:15 AM
  3. CPanel online demo - security risk?
    By nogi in forum Hosting Software and Control Panels
    Replies: 15
    Last Post: 02-21-2003, 10:31 PM
  4. Cpanel and phpinfo, security bug/risk?
    By iago in forum Hosting Security and Technology
    Replies: 16
    Last Post: 12-26-2002, 07:34 PM
  5. Cpanel demo..security risk?
    By Aplusmedia in forum Hosting Security and Technology
    Replies: 3
    Last Post: 10-13-2002, 05:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •