Results 1 to 7 of 7
  1. #1

    Exclamation OLD Cpanel Exploit - Still Active

    Please forgive me if this has been posted before, but there is an old exploit that allows someone to view all the domains that you are hosting if you have Cpanel on the server. I'm bringing this to your attention because there are several hosts on this forum that still have not implemented the fix. The following is quoted from HostingViews.com:

    Notice:
    Any Resellers or Dedicated hosts that use cPanel you should be aware that there is still an exploit people are using to see what domains are hosted on the server.

    If you have cPanel/WHM on your server, just go to your domain and put /bandwidth/ after it. http://yourdomain.con/bandwidth/ Hopefully you will get a “You don't have permission to access /bandwidth/ on this server” message or it will ask for a password.

    Otherwise you will be at a page titled “Bandmin 1.4 (what ever version)” from here you can access the monthly stats with a list of all domains with over 1MB of transfer.

    The fix are listed below:
    Make a TXT file with these lines in it: Use your servers IP# for the XXX

    allow from xxx.xxx.xxx.xxx
    deny from all

    Name it .htaccess and place it in the servers /usr/local/bandmin/htdocs directory. This will block all but the IP that you use in the .htaccess file.

  2. #2
    Thanks for posting this.
    movabletypehost.com / xarayahost.com / tikihost.com : Interested?
    http://www.webhostingtalk.com/showthread.php?p=3691760

  3. #3
    Lol at this: http://cpanel.net/bandwidth/, they're not even secure the creator's of CPanel .

  4. #4
    Yep, that was the first server I tried.... Weird how they don't even keep up with their own exploits.
    Domain Software, LLC.

  5. #5
    Join Date
    Apr 2001
    Posts
    2,588
    Ok, 1. Its not exactly an exploit and 2. Lets not forget that some things are best left to the server administrator.

    Far to many people rely on a control panel to secure their server and run their hosting company for them. That just not the case. A control panel only helps make the job a little easier ( depending on the control panel of course ). I think DarkORB do an awesome job as it is, they never cease to amaze me.

    So what if they can see any domain on your server? Anyone that really wanted to find out who you host could do so very easily other ways.

  6. #6
    Just thought it would be helpful...
    Domain Software, LLC.

  7. #7
    Easy fix - just change alias in your httpd.conf from "bandwidth" to "thisismyprivatebandwidthstats"
    Alex

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •