What's the purpose of ../backend/env.cgi
Hello,
is there any real use from the file env.cgi file, do some cPanel scripts depend on it, or is it just a leftover for/from testing purposes?
/usr/local/cpanel/base/backend/env.cgi
Thank you in advance.
-
Hello, is there any real use from the file env.cgi file, do some cPanel scripts depend on it, or is it just a leftover for/from testing purposes? /usr/local/cpanel/base/backend/env.cgi Thank you in advance.
I think that is part of the backend of WHM, if you go to terminal and type:nano /usr/local/cpanel/base/backend/env.cgi
you can see the actual file content.#!/usr/local/cpanel/3rdparty/bin/perl # cpanel - base/backend/env.cgi Copyright 2022 cPanel, L.L.C. # All rights reserved. # copyright@cpanel.net http://cpanel.net # This code is subject to the cPanel license. Unauthorized copying is prohibited use cPstrict; print "Content-type: text/plain\r\n\r\n"; foreach my $env ( sort keys %ENV ) { print "${env} = $ENV{$env}\n"; }
then just press ctrl x to close the file after viewing. I believe .env files are plain text configuration files... seems this is a script to print or create .env files for cPanel0 -
Hi there, Thank you for your answer. I'm aware of the file's content and output, but because it could lead to information disclosure, I'm simply curious if the file has a real purpose or if it was just used for testing and is now inadvertently included in cpanel production. simply put: Is this file actually used by cpanel and if so, what for? Thank you once again. Cheers! 0 -
@StefanPejcic - can you let me know what you mean by "information disclosure"? 0 -
path, password, cpsess, and others are displayed in the file - see the attached screenshot (dummy data). Even though a cpanel user must be signed in to read it, there are a few instances where this is insufficient and can result in the disclosure of sensitive information. For example: This file may be opened using a phishing link that is sent to the user, script copies its output and sends it back to the attacker. That's why I'm curious if this file is actually required at that location, and if so, what does Cpanel exactly use it for? 0 -
The purpose of that file is to print any environment variables from the shell. It would only show the variables for the session that is currently active, and if a user isn't logged in, it wouldn't have any data to show. If you are logged in to cPanel you can visit 2083/cpsess#########/backend/env.cgi and see the data, but only when the session is active. If you think there is another way this could be exploited, please send a message to security@cpanel.net 0
Please sign in to leave a comment.
Comments
5 comments