[CPANEL-18704] cPanel contact address is stored in the home directory
- Why is there a /home/user/.contactemail file?
- If I, or some script change the email address directly in that file, why does Contact Information page still show the "right/orig" email address?
- If the page shows one email address, and the file has a different email address, who gets the email notifications for the 11 email options on the page? The email address in the file, or the email address on the Contact Information page?
- Do you not see this file as a flaw? Or rather a security risk? Considering scripts seem to have access to it by default, I find this file rather mind boggling.
- If user follows common practice of moving the account to another server, what happens with the above facts? It would be amazing to learn that after move, if user does not hit the "Contact Information" page in cpanel account, that the email address in the file stays there reporting notifications and enables the recipient to do a password reset.
-
Ok, well thank you for the clarity. Even though the clarity does reveal more flaw, glad to hear a case is open to remedy. What does cpanel recommend for whm users to prevent this flaw from being abused until a solution is live? What I've done is: Home "Server Configuration "Tweak Settings Search for "reset" Set these to OFF: - Reset Password for cPanel accounts?
- Reset Password for Subaccounts?
0 -
Hello @abnet, You can perform one of the following steps to mitigate the issue until a solution is published: 1. Turn off the following options under the System tab in WHM >> Tweak Settings: Reset Password for cPanel accounts Reset Password for Subaccounts 2. Enable two-factor authentication for cPanel accounts. With two-factor authentication required, the cPanel account's password can be reset if the options noted in the previous workaround are enabled. However, authentication into cPanel will fail if the attacker doesn't know the 2FA code. See: Two-Factor Authentication for cPanel - Version 84 Documentation - cPanel Documentation Thank you. 0 -
I found a hacked site, in which the legit email address in .contactemail was substituted with the cracker's email (so it happened that the user restored the site three times, and every time the site was hacked again in a very short time...) I would like to check if any other site on my server is using the same email address in .contactemail (or an email address using the same domain @yopmail[.]com) ; any idea on the right grep syntax to do such a check?! 0 -
You can use this command: find /home -name ".contactemail" -exec grep "email@domain.com" {} /dev/null \; 0
Please sign in to leave a comment.
Comments
5 comments