Results 1 to 15 of 15
  1. #1
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19

    cPanel temporary URLs & phishing security problem

    Hi everyone,

    I'm being told that cPanel temporary URLs (such as http://123.456.789.0/~account/) have been disabled on my shared hosting provider's server because of a security hole that phishing sites can exploit.

    I won't name my hosting provider yet, but I'd like to know whether other cPanel providers have run into the same security issue and if they were able to address it in some other way than simply disabling the feature.

    As it stands now, I can't use temporary URLs to allow my clients to preview their new websites before changing their nameservers to point them away from their old server.

    Here's what my host has provided as an explanation of the problem:
    Quote Originally Posted by My_Host
    The problem comes in when malicious users either get through our anti-fraud measures or when they hack into an account. They will upload a phishing site (a replica of a well-known website intended to fraud it's visitors) and then, being well aware of cPanel's features and limitations, they take advantage of the temporary URL feature by publishing/spamming any domain name that resolves to the same IP address along with the "/~username".

    So, let's say you have a malicious user with a phishing site on phishing.com which is hosted on the same server and IP as test.com. The user could send spam (even through a third party and not the same server on which he is hosted on) with various URLs, one of which could be http://test.com/~phishing/phishingsite.

    The end result is that we are eventually warned of the issue by authorities and we take measures to fix the problem. However, this was not before test.com appeared as a malicious website through security websites or tools which is where the problem resides.
    And as I said, their solution is to simply disable temporary URLs.

    Is there another solution that's less drastic? How are other hosting providers able to keep offering temporary URLs?

    Looking forward to hearing back from everyone.
    Thanks
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  2. #2
    Join Date
    Sep 2007
    Posts
    368

  3. #3
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19

    Clarification

    Quote Originally Posted by nomankhn View Post
    Hi Jade,

    This malicious problem is coming on live site as well, not only on shorten site urls.

    Anyway if you want to hide this thing, you can setup you dns/apache something like.

    client.aheadoftheweb.com
    Hi Noman, and thanks for the reply.

    Just to clarify, since I'm reselling hosting from my provider, are you saying that I'd have to ask my provider to set up their server to permit my client's accounts to be accessible through a url such as client.hostingprovider.com instead of the traditional hostingprovider.com/~client/?

    I don't think that I'd be able to set that up without the provider's help, isn't that right?

    And just out of curiosity, do you think this is something that a provider is likely to do upon request? They've got tens of thousands of shared hosting accounts on their servers.
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  4. #4
    Join Date
    Sep 2007
    Posts
    368

    *

    Quote Originally Posted by JadeB View Post
    Hi Noman, and thanks for the reply.

    Just to clarify, since I'm reselling hosting from my provider, are you saying that I'd have to ask my provider to set up their server to permit my client's accounts to be accessible through a url such as client.hostingprovider.com instead of the traditional hostingprovider.com/~client/?

    I don't think that I'd be able to set that up without the provider's help, isn't that right?

    And just out of curiosity, do you think this is something that a provider is likely to do upon request? They've got tens of thousands of shared hosting accounts on their servers.

    Hi Jade,

    I thought you run your own company as a hosting provider and have all these access, anyway i do both on your development server for programmers and also do setup things for client with shorten and with different way as i earlier suggested.

    Regarding dns entry, you just need to add when you create account for hosting, its requires only one time if that main domain is hosted on your server, after adding client name it will become subdomain.

  5. #5
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19
    Hi again Noman,

    I'm glad we clarified this, because I wouldn't want to leave the impression that my question had been answered when it hasn't.

    As it stands now, there is no way for anyone to access a hosting account on my hosting provider's server using a temporary URL of any kind. URLs such as http://123.456.789.0/~account/ generate an error page and my hosting provider says they will NOT be re-enabling any form of temporary URL function.

    And since most of my clients are getting rebuilt websites as well as moving their hosting to this provider, it's important that I can show them the newly rebuilt website on the new server, in working condition (not a developer's version built somewhere else) so they can approve it before we update their nameservers to point to the new host.

    Hopefully someone here will be able to mention if there's an alternative and less drastic solution. Or even if cPanel is planning on issuing a fix for the problem.
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  6. #6
    Join Date
    Apr 2002
    Posts
    930
    You mention you are a reseller. Do you have your own WHM?

    Do you have the ability to park domains either from your WHM interface or from your user's control panel?

    I am assuming that since you are a reseller, and if you have your own WHM, then your account (which I'll refer to as aheadoftheweb.com) is on the same server as your resold accounts (your clients).

    If that is the case, and if you have the ability to park domains, then if you have a client whose website is dogpaintings.com, then you could park the domain:

    dogpaintings.aheadoftheweb.com on top of dogpaintings.com

    either in your reseller's WHM or in dogpaintings.com's control panel.

    Since aheadoftheweb.com is pointing to that server, then dogpaintings.aheadoftheweb.com will also point to the server.

    At least I think this would work, I haven't actually test it.

  7. #7
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19
    Hi Sparek,

    That's a great idea for a workaround if the provider can't solve the problem.

    I'm going to investigate and see if it works.

    Thanks for the suggestion.
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  8. #8
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19
    Unfortunately, I've just tested that workaround and I'm not able to make it work.

    The cPanel for a client account won't let me park something like "dogpaintings.aheadoftheweb.com" on top of "dogpaintings.com" since aheadoftheweb.com is controlled by another account.

    And the WHM interface doesn't allow me to add parked domains at all, so I can't do it that way either.

    I've asked the system admin for my provider to look into whether there's some way to accomplish this. But in the meantime, does anyone else have any ideas?

    Thanks in advance.
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  9. #9
    Join Date
    Apr 2002
    Posts
    930
    I was afraid the cpanel park domain feature would not allow this. I think the WHM interface will, its rules are generally more relaxed. You might ask your hosting provider if they will allow you to have the park domain feature in your WHM. Explain to them what you are wanting to do. If they are the ones shutting off the temporary URL, then they should be willing to provide this workaround.

  10. #10
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19
    Quote Originally Posted by SPaReK View Post
    I was afraid the cpanel park domain feature would not allow this. I think the WHM interface will, its rules are generally more relaxed. You might ask your hosting provider if they will allow you to have the park domain feature in your WHM. Explain to them what you are wanting to do. If they are the ones shutting off the temporary URL, then they should be willing to provide this workaround.
    Hi again Sparek,

    Thanks. I've asked my system admin to look into whether it's possible, plus I know that he's following this thread too, so he's reading this.

    I've got another reseller account with another provider and my WHM there is more relaxed and would allow me to do this, so hopefully this provider will be able to allow it as well.
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  11. #11
    Join Date
    Jul 2009
    Location
    NC
    Posts
    929
    Quote Originally Posted by JadeB View Post
    Hi Noman, and thanks for the reply.

    Just to clarify, since I'm reselling hosting from my provider, are you saying that I'd have to ask my provider to set up their server to permit my client's accounts to be accessible through a url such as client.hostingprovider.com instead of the traditional hostingprovider.com/~client/?
    Have you tried www.YOURsite.com/~accountname

    It works on my reseller accounts.
    ☆☆☆ Miss Names - Cool domain names for sale! - MissNames.com☆☆☆

    ☆☆☆ Find a new pet for your home ... Find a new home for your pet - WeGotPets.com☆☆☆

  12. #12
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19
    Quote Originally Posted by GORF View Post
    Have you tried www.YOURsite.com/~accountname

    It works on my reseller accounts.
    Hi Gorf,

    Thanks, but that doesn't work either. All manner of cPanel temporary URLs have been disabled by the provider.
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  13. #13
    Join Date
    Apr 2002
    Posts
    930
    I would also point out that I would consider this just as a temporary basis. I would not recommend leaving the dogpaintings.aheadoftheweb.com setup indefinitely. Because what your host mentioned as the reason for disabling the ~username option could also apply with this set up.

    If malicious code is placed somewhere on dogpaintings.com's website, then this would also be accessible at dogpaintings.aheadoftheweb.com and could cause the aheadoftheweb.com domain to become blacklisted.

  14. #14
    Join Date
    Mar 2007
    Location
    Gibsons, British Columbia
    Posts
    19
    Quote Originally Posted by SPaReK View Post
    I would also point out that I would consider this just as a temporary basis. I would not recommend leaving the dogpaintings.aheadoftheweb.com setup indefinitely. Because what your host mentioned as the reason for disabling the ~username option could also apply with this set up.

    If malicious code is placed somewhere on dogpaintings.com's website, then this would also be accessible at dogpaintings.aheadoftheweb.com and could cause the aheadoftheweb.com domain to become blacklisted.
    Good point Sparek,

    Hopefully they'll be able to permit it, but only when implemented through the WHM controlling both affected accounts so that there's no chance of something like this being setup by a third party.
    Jade Burnside
    Optimization Specialist
    What good is your website if no one can find it?
    www.aheadoftheweb.com

  15. #15
    Join Date
    Feb 2009
    Location
    United States
    Posts
    378
    This is known as mod_userdir protection, and anyone with root access to the server is capable of disabling this feature on a domain-by-domain basis.
    The fact that your host is unwilling to disable this feature for your domain, or doesn't know how to, (given the phishing excuse) makes them incompetent.

    I enable mod_userdir protection on all servers I manage, but exclude this protection on the server hostname/IP addresses.
    Doing so provides phishing protection to my clients while not negatively affecting them in this way.
    Victor Lugo
    Systems Administrator

Similar Threads

  1. temporary urls?
    By The Kid in forum Hosting Security and Technology
    Replies: 11
    Last Post: 08-19-2010, 07:00 AM
  2. phishing problem
    By alex2007 in forum Hosting Security and Technology
    Replies: 8
    Last Post: 06-17-2007, 01:25 AM
  3. Home Network security filter appliance phishing etc
    By Ramprage in forum Hosting Security and Technology
    Replies: 5
    Last Post: 05-11-2006, 06:17 PM
  4. fopen and urls in PHP - Security Issue
    By visionip in forum Hosting Security and Technology
    Replies: 3
    Last Post: 08-05-2005, 01:34 AM
  5. Cpanel/WHM security problem
    By H2 in forum Hosting Software and Control Panels
    Replies: 13
    Last Post: 07-20-2004, 08:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •