Users able to switch to other user accounts?
We have a major security issue where a user can log in to cpanel with their account credentials and then switch to any of the other accounts on our shared WHM platform using the dropdown user box in the General Information tab.
Does anyone know how we can disable this? Obviously a user logging in and then being able to edit DNS records of other customers is a major security hole
-
If you click that red icon top right, it should say something about you being logged in as root or Reseller to one of his owned accounts. That menu should not be viewable for anyone else, otherwise. 0 -
It says "Information: You are logged in as a reseller or root user" but that is definitely not the case The account that the user is logging in to cpanel with was created by a reseller account, and the user account itself has no reseller access - am I missing something somewhere? 0 -
This is the user that is logging in to cpanel 0 -
In your first post screenshot, the blurred image does show a long list of accounts. Does this user own those accounts? You might try clearing your browser cache or try another browser entirely to rule out browser cache issues. Also, please do feel free to open a ticket directly to cPanel Technical Support if needed. 0 -
No. The reseller account owns all the accounts in that list. I have no idea why an individual account has access to view all of that account's reseller accounts. We've tried multiple browsers and multiple computers. 0 -
The reseller account owns all the accounts in that list.
You are logged in as root or Reseller according to that message. Change this setting; WebHost Manager "Server Configuration "Tweak Settings, System Tab:Accounts that can access a cPanel user account: [?] This setting specifies who can access a user"s cPanel account. Account-Owner refers to the particular reseller that owns the user account. Note: Disabling root access here will also disable root"s access to the Branding Editor in WHM.
To: cPanel User Only0 -
I know that's what the message is saying, but I am 100% not logged in as a reseller or root. I'm logged in to CPanel with the end user account, who is not a reseller. 0 -
You're not by chance using the same password for the user level account as your root or reseller password? 0 -
For some dumb reason, it looks like we are. Changing it for the reseller account fixed the issue - thanks heaps. Looks like I'll be having stern words with some staff. Bizarre, though, that cpanel ignores the logged in user and assigns privileges based on a password? 0 -
Bizarre, though, that cpanel ignores the logged in user and assigns privileges based on a password?
Hello @jiska, This behavior is controlled by the feature referenced in the earlier post, found under the System tab in WHM >> Tweak Settings: Accounts that can access a cPanel user account Per it's description: This setting specifies who can access a user"s cPanel account. Account-Owner refers to the particular reseller that owns the user account. Note: Disabling root access here will also disable root"s access to the Branding Editor in WHM. Thus, if you set this to "cPanel User Only", then the account selection drop-down box will not appear when logged into cPanel with the root password or the account owner (reseller) password. Thank you.0 -
Thankyou for this. Changing that setting to "Cpanel user only" fixed the problem. Odd that this is not the default setting. Appreciate your help. 0
Please sign in to leave a comment.
Comments
11 comments