Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

is cpanel hackable?

  1. Home
  2. Forum
  3. Web hacking
  4. is cpanel hackable?

ghost's Avatar

ghost

0 0

i was just wondering if cpanel is hackable? anyone know?:ninja:


ghost's Avatar

ghost

0 0

Yes Cpanel has some flaws in it but it is not to easy to get by thre exploits by the way they are not to popularā€¦ Article on it I found: First off, you should know that CPanel has alot of flaws in it's shells.

for starters, when you make an account in cpanel (with WHM likley) you essentially automatically give it shell access (which is default), now, some providers allow shell access, and they would usually just select the box for shell access, and there ya go. "We comply with our offers" and you have shell access like they said.

What they don't know.. what they don't know is that (by default) cpanel grants what we call a "normal shell" environment, most hosting provides simply do not know where you can change what type of shell it gives you, and, since its cpanel, assume its secure.

for cpanel there are 2 types of shells: "normal shell" environment and what we call a "jail shell"

Both of these (for cpanel) are essentially swiss cheese.

Like we said before, the default is a normal shell, well heres how you would use it..: (using PuTTy or other ssh client) ssh to host: mydomain.com login: my cpanel user login pass: (when asked in the shell) my cpanel password you will then get a shell bashline, now, this is a normal shell environment, like we said before, in this normal shell environment you have pretty much access to EVERYTHING (except shadow)

so lets try the following.. cd / cd Home/ ls

as you can see it now has listed all the folders in the /home directory, here it lists all the usernames, and in those folders, the files for every account (website) on the server!, you can also cd / and then ls, move around, have fun.

jailshell is a bit different, jailshell will let you move pretty much most places but does not list all those folders (except yours) in /home/ and also dis-allows access to certain stuff, but still, you can get to alot, the good part is, like i said, most providers who use cpanel don't know how to change the normal shell to a jail shell (if they know you could even change it)

so, if you have webhosting with cpanel and they gave you shell access, give this a try.

Shouts to Hybrid sup :P


ghost's Avatar

ghost

0 0

dang i dont got shell access on my account lol


Mr_Cheese's Avatar

Mr_Cheese

0 1

also in cPanel < v10, it cron jobs were run from root i believeā€¦ or a high level user, so one users account could use a cron job that ran system commands to access areas on the server that are usally blocked by open base dir function.

so yes, cpanel does have its flaws.


spyware's Avatar

spyware

Banned
0 0

Like every piece of software there has been reported security issues. I believe the newest version of CPanel has no (public) exploits yet, so you gotta freestyle your way through, for older versions I recommend you to pay a visit to packetstorm and/or milw0rm, they should have the known exploits.

Again, the best stuff is all private :-/.