Page 1 of 3 123 LastLast
Results 1 to 25 of 62
  1. #1

    Eleven2 [Security Issue with Cpanel]

    Their server security is a total mess.

    You can access ANY accounts with password [xxxx].

    I have talked to their support and they just fixed ONE account password.

    So try it for yourself..

    69.194.232.3:2083

    Username: [xxxx]
    Pass: [xxxx]

    * I have removed actual accounts username but you can still login with the above username (which i created) and you can still access and see all other usernames because [xxxx] is the ROOT PASSWORD. WTF?

    Those 3 are just some username i picked up, you can try to login with any username then when logged in, you can see and switch ALL users in the server and then try using any username and password [xxxx] and it will login. I am guessing you can access file manager and everything as well.

    Good thing you cant access whm (only cpanel) with this, but still... Let see how long before they fix this.
    Last edited by bear; 07-24-2012 at 02:23 PM. Reason: let's not

  2. #2
    Join Date
    Jun 2011
    Posts
    552
    Remove those account please, I don't think the owner of the website would be happy.
    Last edited by Saetrevik; 07-24-2012 at 01:26 PM.
    www.Hostzoom.net
    Pure SSD Powered cPanel web hosting with location in Amsterdam, Netherland.

  3. #3
    Join Date
    Feb 2012
    Location
    Memphis, TN
    Posts
    3,285
    LMFAO! its a root or reseller password. You can access any account from there.

    wtf is Eleven2 thinking?
    hostingcove.com | Tennessee Based Hosting Provider.
    cPanel Shared & Reseller Hosting - Domain Names
    Join thousands of happy customers. Secure & Stable
    HeroicVPS Premium KVM VPS. Ashburn / Phoenix

  4. #4
    Join Date
    Sep 2005
    Location
    San Diego, California
    Posts
    865
    I hope it's just a reseller's password. In which case Eleven2 can't really control what passwords their resellers choose. How did you find this Op?
    Othio Hosting - Private-Label cPanel Reseller Hosting
    True 24x7 Support | SSD Storage | cPanel+WHM | R1Soft Backups

  5. #5
    Join Date
    Feb 2012
    Location
    Memphis, TN
    Posts
    3,285
    It looks like perhaps a low level tech account they set up as a reseller and granted some super admin too.

    The password does work for any account in the system though you need to relogin when switching accounts. lmfao
    hostingcove.com | Tennessee Based Hosting Provider.
    cPanel Shared & Reseller Hosting - Domain Names
    Join thousands of happy customers. Secure & Stable
    HeroicVPS Premium KVM VPS. Ashburn / Phoenix

  6. #6
    No it is the root password because i can access all other usernames with that password [xxxx].
    Last edited by bear; 07-24-2012 at 02:24 PM.

  7. #7
    Join Date
    Feb 2012
    Location
    Memphis, TN
    Posts
    3,285
    lmfao, someone looking at this could use the bulk transfer utility and mirror all of those accounts possibly.
    hostingcove.com | Tennessee Based Hosting Provider.
    cPanel Shared & Reseller Hosting - Domain Names
    Join thousands of happy customers. Secure & Stable
    HeroicVPS Premium KVM VPS. Ashburn / Phoenix

  8. #8
    Join Date
    Feb 2004
    Location
    Toronto
    Posts
    2,308
    Popcorn material ?
    VimHost >> 30 Days Backup | cPanel + LiteSpeed + JetBackup | DMCA FREE!
    20 Years in business ~ Premium Hosting in Toronto, Canada ~ 151 Front Street (Canadian owned and operated)

  9. #9
    Join Date
    Feb 2012
    Location
    Memphis, TN
    Posts
    3,285
    Quote Originally Posted by lonea View Post
    Popcorn material ?
    Even better:
    hostingcove.com | Tennessee Based Hosting Provider.
    cPanel Shared & Reseller Hosting - Domain Names
    Join thousands of happy customers. Secure & Stable
    HeroicVPS Premium KVM VPS. Ashburn / Phoenix

  10. #10
    Join Date
    Dec 2009
    Location
    United Kingdom
    Posts
    203
    You should of contacted them about this before hand, a lot of users are now going to be unhappy.
    NerdyVPS - You Will Be Assimilated
    PiePanel

  11. #11
    Join Date
    Apr 2006
    Location
    Rotherham, UK
    Posts
    1,547
    Oh dear. Lets hope these details don't end up in the wrong hands.
    IT & Hosting Solutions Rotherham - Virtual6 Ltd
    IT Distributor | IT Manufacturer | Hosted Products | Business IT Support

  12. #12
    Join Date
    Oct 2004
    Location
    Oneida, NY
    Posts
    2,849
    We are currently looking into this, but I can assure everyone that none of our root passwords are (or ever will be) [xxxx] or anything similar to that. We are still investigating this matter.
    Last edited by bear; 07-24-2012 at 02:24 PM.
    Big things coming soon

  13. #13
    Well yes it is better if a mod see this and delete this, i am unable to edit or delete this thread unfortunately. Or better if eleven2 fix this asap as i really love their hosting, tbh.

  14. #14
    Join Date
    Sep 2005
    Location
    San Diego, California
    Posts
    865
    Quote Originally Posted by MrLadoodle View Post
    You should of contacted them about this before hand, a lot of users are now going to be unhappy.
    It does look like he mentioned it to their support:
    Quote Originally Posted by projectpop View Post
    I have talked to their support and they just fixed ONE account password.
    But it seems that the support personelle didn't understand the gravity of the situation, or may have misunderstood the request.
    Othio Hosting - Private-Label cPanel Reseller Hosting
    True 24x7 Support | SSD Storage | cPanel+WHM | R1Soft Backups

  15. #15
    Join Date
    Apr 2006
    Location
    Rotherham, UK
    Posts
    1,547
    I cant see it been a reseller account, most of the domains use eleven2 NS records, if it was a certain resellers account im sure they would all be pointing to the hosts custom NS records.
    IT & Hosting Solutions Rotherham - Virtual6 Ltd
    IT Distributor | IT Manufacturer | Hosted Products | Business IT Support

  16. #16
    Join Date
    May 2011
    Posts
    586
    I was thinking about signing up at Eleven2 for reseller hosting (for a local offline website building business). Forget it.

    EDIT: Signed in just to verify it. Hope the police don't come at my door, lol. There is hundreds of accounts on this server.
    Last edited by Appdeveloper; 07-24-2012 at 01:48 PM.

  17. #17
    Quote Originally Posted by BrettB View Post
    It does look like he mentioned it to their support:

    But it seems that the support personelle didn't understand the gravity of the situation, or may have misunderstood the request.
    Yes i was frustrated after talking to the support thats why i guess i am better off writing here, but i guess it is better for mod to delete this asap as i am not able to edit the post unfortunately.

  18. #18
    Join Date
    May 2011
    Posts
    586
    Quote Originally Posted by VMPort View Post
    I cant see it been a reseller account, most of the domains use eleven2 NS records, if it was a certain resellers account im sure they would all be pointing to the hosts custom NS records.
    Plus, if it were a reseller account, I believe there would be WHM access.
    Last edited by Appdeveloper; 07-24-2012 at 01:55 PM. Reason: WHM*

  19. #19
    Join Date
    Jul 2010
    Location
    ~/
    Posts
    1,382
    While I agree that that is a huge face palm you should NEVER have posted this on a public forum, even if you have issues of your own with eleven2 you could have just caused a HUGE problem for tons on innocent customers.

    <snipped>
    Last edited by Orien; 07-24-2012 at 03:40 PM.
    -> INCEPTION HOSTING LIMITED Since 2010!
    -> I am most active on the lowendspirit hosting forum Come join us!
    -> PHOENIX USA & THE NETHERLANDS & UK EU

  20. #20
    Guys this has been fixed. Thanks eleven2 for the quick work and this thread is by no means a defamation of Eleven2 and note that I will keep using Eleven2. It is just a frustration due to the support by a personnel. Thank you eleven2.

  21. #21
    Join Date
    Aug 2004
    Location
    Houston, TX
    Posts
    1,405
    Guys, this is actually a bug in cPanel, we have addressed with them multiple times. I will not post the exact way this is done, but we have given cPanel the opportunity to fix this for months now. This is a insufficiency in the way cPanel backup and restore works.
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
    Shared Hosting | Reseller Hosting | Dedicated | Virtual Premium Servers
    Server Locations in: Dallas | Los Angeles | Singapore | Amsterdam

  22. #22
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    Quote Originally Posted by Eleven2 Hosting View Post
    Guys, this is actually a bug in cPanel, we have addressed with them multiple times. I will not post the exact way this is done, but we have given cPanel the opportunity to fix this for months now. This is a insufficiency in the way cPanel backup and restore works.
    Really? We haven't noticed this..

    Are you referring to when restoring accounts and not using --skipres by default? If so that's not a bug but user error.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  23. #23
    Join Date
    Feb 2012
    Location
    Memphis, TN
    Posts
    3,285
    Trying to figure this one out myself, has cPanel opened a case for this "bug"?
    hostingcove.com | Tennessee Based Hosting Provider.
    cPanel Shared & Reseller Hosting - Domain Names
    Join thousands of happy customers. Secure & Stable
    HeroicVPS Premium KVM VPS. Ashburn / Phoenix

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by CodyRo View Post
    Really? We haven't noticed this..
    Try restoring a backup that has root reseller privileges enabled...
    That accounts password will be able to login to every account.

    It would be a good idea to run this on every server:

    grep "all$" /var/cpanel/resellers |sed 's/:/ /' |awk '{print $1}'
    Furthermore, It is also possible to modify a backup to grant you access to another mysql database on the server. You can also modify a backup to delete the mysql root user.. which effectively turns on skip grant tables. I had a discussion with security@cpanel.net about this, and they basically said they couldn't do anything about it and that it would be best to unpack each backup and check it manually.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #25
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    Quote Originally Posted by Steven View Post
    Try restoring a backup that has root reseller privileges enabled...
    That accounts password will be able to login to every account.

    It would be a good idea to run this on every server:



    Furthermore, It is also possible to modify a backup to grant you access to another mysql database on the server. You can also modify a backup to delete the mysql root user.. which effectively turns on skip grant tables. I had a discussion with security@cpanel.net about this, and they basically said they couldn't do anything about it and that it would be best to unpack each backup and check it manually.
    Hence the --skipres switch? You should never restore a package assuming the privileges are proper.

    The MySQL thing is indeed scary it however doesn't surprise me. I've suspected for some time there is a large amount of stuff the cpbackup system takes for granted.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

Page 1 of 3 123 LastLast

Similar Threads

  1. Eleven2's Cloud & Support -- [issue]
    By rgenzon in forum Cloud Hosting
    Replies: 23
    Last Post: 08-15-2011, 04:06 PM
  2. WHM / CPanel security certificate issue?
    By 3rdfloorview in forum Reseller Hosting
    Replies: 11
    Last Post: 08-30-2009, 10:23 PM
  3. phpmyadmin security issue, how to upgrade under cpanel?
    By aww in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-09-2007, 01:17 AM
  4. Major security issue with Cpanel. Watch for updates.
    By ServerSupportGuys in forum Hosting Security and Technology
    Replies: 63
    Last Post: 02-01-2007, 04:14 PM
  5. Is that cpanel security issue?
    By msdq in forum Hosting Security and Technology
    Replies: 4
    Last Post: 11-04-2004, 02:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •