Search the Community

DISCLAIMER: I've been following this community and Blesta for over a year. Recently I purchased a Blesta license and have been doing extensive testing with sample clients, packages, coupons, server groups, etc. I started off provisioning with the default cPanel module. I then decided to give cPanel Extended a shot. During this testing process, I've came across a security issue that concerns me. If this issue has already been brought up and discussed, please forgive me and simply ignore this post. I've searched quite a bit through the forums but have yet to find anyone else with a similar post. I'm fairly new to this forum and still learning my way around. So far I think Blesta has a pretty awesome community of folks! INITIAL TESTING: I started out testing cPanel Extended with some sample clients and sample packages. Immediately, I was impressed with the nice feature set provided. During my initial testing, everything worked smoothly. I was able to manage aspects of the account through Blesta, and jump right over to cPanel or Webmail or File Manager with a single click via Switch. SIMPLE IDEA: I have existing hosting clients that I want to map to accounts in Blesta. So I was curious if I could do that and simply bypass provisioning. I setup a new client account for one of my existing clients. I unchecked the option Provision using the cPanel Extended module. The service was added and set active. I clicked on the Manage button on the service. I was able to see all the cPanel Extended options and everything seemed to work ok. Next I logged in as my client. Again, I clicked the Manage button on the service. I was able to access all the cPanel Extended features. I was able to access cPanel and Webmail thanks to SSO. Everything looked good. This is great! I can map all my existing clients in Blesta with cPanel Extended. Life is good!!! ANOTHER IDEA GONE WRONG: Then my mind started thinking about security. What if someone signed up for an account and entered a domain name that already existed on the server and mapped to another client? Would the new client signing up get an error during the order process? What if I added a service to a client through the Admin and entered a domain name that was already mapped to another Blesta account? First, I decided to test within the Admin area. I was able to set up multiple clients with the same service and mapped to the same domain. But I'm explicitly choosing to uncheck the provision option. So by not provisioning, Blesta doesn't know if that domain already exists or not. And since cPanel Extended is using SSO, I was able to access all features including cPanel and Webmail on the same domain from all the client accounts. This test case is highly unlikely because we would not be setting up multiple accounts mapped to the same domain and bypassing provisioning. It just doesn't make sense. Next, I decided to sign up as a new client. During the order process, I entered a domain that was already setup on the server and mapped to an existing Blesta account. The order went through successfully. I didn't receive any error message. Next I accessed my new client area. I noticed the service was marked PENDING. (At this point I logged in to Admin and checked the Module Logs. cPanel Extended created logs for generating a cPanel user token. But I didn't see a log showing the account creation failed. SPOILER: Later I did similar testing with the default cPanel module and it generated an error log stating the account already existed on the server. Further, cPanel module kept the service PENDING, and when I tried to access Info or Stats it said Account does not exists. Kudos for the security measures implemented in the default cPanel module!) With my new account, I viewed my PENDING service. I clicked on the Manage button. I gained access to ALL cPanel Extended features. I could see detailed information about that existing domain account. I could see what email and ftp accounts were set up. I could access cPanel, Webmail, File Manager, and phpMyAdmin. I could change the cPanel password! Hopefully for those of you reading this, you can see the MAJOR SECURITY RISK posed here. Anyone from anywhere could come to my site, sign up for a hosting account, enter the domain of one of my existing clients, gain access to their account, and do some SERIOUS DAMAGE. GOING FORWARD: Ideally, I would want an error message to be returned during the order process stating the domain chosen is not valid or already in use. But at a minimum, until the service becomes active, all cPanel Extended features should be inaccessible. Perhaps simply disabling or removing the Manage button and disabling the ability to click on the service row for the expanded switch options. I'm cloning the GitHub repo and will starting looking at options for closing this security hole. If anyone else in the community can make the fix faster due to more familiarity with the Blesta code base, please do! SUMMARY: I do want to extend my thanks and appreciation to cyandark for the module. The features are just what I'm looking for to integrate cPanel with Blesta. But at current, I or someone faster needs to resolve this security risk before I will feel comfortable using it in production.