Skip to main content

[CPANEL-18704] cPanel contact address is stored in the home directory

Comments

5 comments

  • cPanelMichael
    Hello @abnet, 1. The /home/$username/.contactemail file stores the cPanel account's contact email address. This is the email address that's configured as part of cPanel >> Home >> Preferences >> Contact Information. The supported method of editing this file through the command line is via the
    0
  • abnet
    Ok, well thank you for the clarity. Even though the clarity does reveal more flaw, glad to hear a case is open to remedy. What does cpanel recommend for whm users to prevent this flaw from being abused until a solution is live? What I've done is: Home "Server Configuration "Tweak Settings Search for "reset" Set these to OFF:
    • Reset Password for cPanel accounts?
    • Reset Password for Subaccounts?
    So that if a bad actor manages to change the contact email, they cannot change the password by email. Is this A solution? The ONLY solution? I would also recommend that cpanel implement something like this by default: Open_basedir change: ADD: php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" } TO: system_pool_defaults.yaml /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
    0
  • cPanelMichael
    Hello @abnet, You can perform one of the following steps to mitigate the issue until a solution is published: 1. Turn off the following options under the System tab in WHM >> Tweak Settings: Reset Password for cPanel accounts Reset Password for Subaccounts 2. Enable two-factor authentication for cPanel accounts. With two-factor authentication required, the cPanel account's password can be reset if the options noted in the previous workaround are enabled. However, authentication into cPanel will fail if the attacker doesn't know the 2FA code. See: Two-Factor Authentication for cPanel - Version 84 Documentation - cPanel Documentation Thank you.
    0
  • Remitur
    I found a hacked site, in which the legit email address in .contactemail was substituted with the cracker's email (so it happened that the user restored the site three times, and every time the site was hacked again in a very short time...) I would like to check if any other site on my server is using the same email address in .contactemail (or an email address using the same domain @yopmail[.]com) ; any idea on the right grep syntax to do such a check?!
    0
  • GOT
    You can use this command: find /home -name ".contactemail" -exec grep "email@domain.com" {} /dev/null \;
    0

Please sign in to leave a comment.