Results 1 to 6 of 6
  1. #1
    Join Date
    Jul 2002

    Dangerous Script For Cpanel :-(


    I am giving out some Sub Domains via CPANEL control Panel, but

    recently, there is a script called: remview.php that can control

    all over my site, all DB can be hacked anytime :-(

    Let's say: You have a Domain AAA

    you give out a Sub :

    and then they upload that script on there...and they can control

    all over that whole domain :-(

    any helps

    Thanks in advance

  2. #2
    Join Date
    Jan 2002
    There is no solution to this problem. I contacted my hosting company the minute I saw this feature in their control panel and asked them if there are any measures against this security problem, but their reply was irrelevant just repeating the function of this feature.

    BTW, not only those you give access to a subdomain on your account, but everybody else on the server can get your MySQL password if it is in a PHP file.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  3. #3
    Join Date
    Jan 2002
    Ho Chi Minh City, Vietnam
    How about this problem, now?
    Welcome to Vietnam.

  4. #4

    Thumbs down

    Oh yeah, really good, if you speak Russian!

  5. #5
    This isn't just a problem for a sub domain, that really has no bearing on this problem, other than the user it runs as (assuming a CGI wrapper is used for CGI and/or PHP) will also maybe be able to have the same control as you. No matter what, otherwise they have the same CGI and/or PHP script access as everyone else, if it's a global user anyway.

    However, you can (if your hosting provider is willing) very easily modify it so anything in that path can not run CGI, PHP or other scripts, as well as denying SSI and other type of access.

    Provided they do that, you can safely hand out sub domain accounts. Keep in mind that depending on how CGI and/or PHP is running on the server, this problem can still exist anyway on any shared hosting environment, unless steps are taken to prevent it.

    Though I won't argue in that current state of configuration on the server that giving out free sub domains to just anyone that is allowed or can somehow manage to use any type of script to snoop around the system is a bad idea and makes the potential greater (especially when people are paying to have accounts on that same server, as most people aren't the type of try and do this if they are a regular client).

    Still, it's all about prevention, permissions, ownership and configurations and how things run. Look into disabling CGI, PHP, SSI and definitely .htaccess (or at least make it so their .htaccess directives are limited to features that can't be used to add or enable CGI, PHP, etc. type of scripts by adding mime/action types, etc.)
    Robert McGregor
    Email: robertm@(nospam)

  6. #6
    Join Date
    May 2001
    What does this thing do?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts