Next time, try submitting to security@xxxxxxxxxx or any of the contact addresses ( even phone ) on the web site.. there are by the way, other contact details on the web site, next time, at least look. ( I've passed this along to the above email address, incase you have issues doing so yourself ). On Wed, 30 Mar 2005 23:33:30 +0100, Richard Stanway <bugtraq@xxxxxxxxxxxx> wrote: > Background > ---------- > cPanel & WebHost Manager (WHM) is a next generation web hosting control > panel system. Both cPanel & WHM are extremely feature rich as well as > include an easy to use web based interface (GUI). The cPanel demo account > feature creates a restricted username/password to the cPanel web interface > which the reseller often then provides on their web site, inviting potential > customers to try out the cPanel interface. Most of the cPanel interface is > disabled in the demo mode to prevent anonymous users from uploading > potentially dangerous content or otherwise causing a problem. > > Problem > ------- > Since the cPanel demo user is created a real local user, shell access > through SSH is possible. The demo account however is restricted by using a > shell that displays a message indicating that the SSH is disabled and not > allowing any commands to be used. It is possible to set up SSH port > forwarding and login without invoking the shell, essentially giving > anonymous users the ability to harness the server for proxying to local and > remote destinations, bypassing IP based authentication to localhost (some > SMTP servers regard 127.0.0.1 as authenticated for example) and other likely > malicious actions. > > It is very likely the same problem also applies to local users who have not > been granted explicit shell access, although the impact is slightly lessened > as one might expect local users are not out to abuse their own shared web > hosting server. > > Exploit > ------- > Pick your server (http://www.google.com/search?q=cpdemo+cpanel+demo), SSH to > it using the provided username and password and set up some port forwarding. > > Solution > -------- > Turn off the demo account feature and delete any demo accounts. As an > additional measure, turn off SSH port forwarding or specify explicitly which > users are allowed SSH access in the sshd config, do not rely on a restricted > shell to prevent users from being able to use other SSH features. I'd never > recommend anyone use the cPanel/WHM demo account feature at all, they are > both very risky. Even the WHM demo hosted on cPanel's own server allowed > remote root at one point in time. > > A note to vendors: please make it easy to report bugs. cPanel had a nice > anonymous bug reporting form and status checking system last time I reported > a bug, now it is replaced with BugZilla which requires spending time > registering which personally I'm not going to be bothered with for reporting > one bug. > > Richard Stanway > http://www.r1ch.net/ > > Technical articles: http://shsc.info/ > > -- Beau Henderson http://www.ImInteractive.com