cPanel Extended Security Issue

[JaxSite]

DISCLAIMER:
I've been following this community and Blesta for over a year. Recently I purchased a Blesta license and have been doing extensive testing with sample clients, packages, coupons, server groups, etc. I started off provisioning with the default cPanel module. I then decided to give cPanel Extended a shot. During this testing process, I've came across a security issue that concerns me. If this issue has already been brought up and discussed, please forgive me and simply ignore this post. I've searched quite a bit through the forums but have yet to find anyone else with a similar post. I'm fairly new to this forum and still learning my way around. So far I think Blesta has a pretty awesome community of folks!

 

INITIAL TESTING:
I started out testing cPanel Extended with some sample clients and sample packages. Immediately, I was impressed with the nice feature set provided. During my initial testing, everything worked smoothly. I was able to manage aspects of the account through Blesta, and jump right over to cPanel or Webmail or File Manager with a single click via Switch.

SIMPLE IDEA:
I have existing hosting clients that I want to map to accounts in Blesta. So I was curious if I could do that and simply bypass provisioning. I setup a new client account for one of my existing clients. I unchecked the option Provision using the cPanel Extended module. The service was added and set active. I clicked on the Manage button on the service. I was able to see all the cPanel Extended options and everything seemed to work ok.

Next I logged in as my client. Again, I clicked the Manage button on the service. I was able to access all the cPanel Extended features. I was able to access cPanel and Webmail thanks to SSO. Everything looked good. This is great! I can map all my existing clients in Blesta with cPanel Extended. Life is good!!!

ANOTHER IDEA GONE WRONG:
Then my mind started thinking about security. What if someone signed up for an account and entered a domain name that already existed on the server and mapped to another client? Would the new client signing up get an error during the order process? What if I added a service to a client through the Admin and entered a domain name that was already mapped to another Blesta account?

First, I decided to test within the Admin area. I was able to set up multiple clients with the same service and mapped to the same domain. But I'm explicitly choosing to uncheck the provision option. So by not provisioning, Blesta doesn't know if that domain already exists or not. And since cPanel Extended is using SSO, I was able to access all features including cPanel and Webmail on the same domain from all the client accounts. This test case is highly unlikely because we would not be setting up multiple accounts mapped to the same domain and bypassing provisioning. It just doesn't make sense.

Next, I decided to sign up as a new client. During the order process, I entered a domain that was already setup on the server and mapped to an existing Blesta account. The order went through successfully. I didn't receive any error message. Next I accessed my new client area. I noticed the service was marked PENDING. (At this point I logged in to Admin and checked the Module Logs. cPanel Extended created logs for generating a cPanel user token. But I didn't see a log showing the account creation failed. SPOILER: Later I did similar testing with the default cPanel module and it generated an error log stating the account already existed on the server. Further, cPanel module kept the service PENDING, and when I tried to access Info or Stats it said Account does not exists. Kudos for the security measures implemented in the default cPanel module!)

With my new account, I viewed my PENDING service. I clicked on the Manage button. I gained access to ALL cPanel Extended features. I could see detailed information about that existing domain account. I could see what email and ftp accounts were set up. I could access cPanel, Webmail, File Manager, and phpMyAdmin. I could change the cPanel password! Hopefully for those of you reading this, you can see the MAJOR SECURITY RISK posed here. Anyone from anywhere could come to my site, sign up for a hosting account, enter the domain of one of my existing clients, gain access to their account, and do some SERIOUS DAMAGE.

GOING FORWARD:
Ideally, I would want an error message to be returned during the order process stating the domain chosen is not valid or already in use. But at a minimum, until the service becomes active, all cPanel Extended features should be inaccessible. Perhaps simply disabling or removing the Manage button and disabling the ability to click on the service row for the expanded switch options.

I'm cloning the GitHub repo and will starting looking at options for closing this security hole. If anyone else in the community can make the fix faster due to more familiarity with the Blesta code base, please do!

SUMMARY:
I do want to extend my thanks and appreciation to cyandark for the module. The features are just what I'm looking for to integrate cPanel with Blesta. But at current, I or someone faster needs to resolve this security risk before I will feel comfortable using it in production.

[Abdy]

Hi,

Thanks for your feedback, cPanel extended has many bugs inherited from the ModulesGarden Version, We are working in new version with many of the functions rewriten from scratch using our Code Style like another Modules that we made from Scratch like SolusVM Extended.

Everybody are welcome to make pull requests in the Github Repo.

[JaxSite]

Awesome! Thanks for the quick reply! If I get the patch working, I'll issue a pull request for you to review and consider in your future version release.

[Michael]

Interesting that doesn't work on the default module right? It would have to have it's own username?

[JaxSite]

Correct. The default module created a Blesta account and added the service as PENDING. But you could not access the cPanel integrated features offered from the default module. Not sure if because it is PENDING or flagged from a failed attempt to provision the account. Either way, it prevents someone from spoofing a domain at purchase and gaining access later.

I'm going through the cPanel Extended code this evening. I'm hoping I can simply remove the Manage options in all cases unless the service is Active. Plus, add prevention measures during the order process area. That would even be a little more than the default module does.

[JaxSite]

Somehow I missed the entry in the module logs where cPanel Extended tried to call "createacct" and received an error back from cPanel. I attached a screenshot showing the log entry. So it looks like cPanel prevents a duplicate account with the same domain name from being created. That's good. And it appears like cPanel Extended responds to that error by setting the service in PENDING status.

Now I'm thinking I would like for it to do the following:

1. Remove the Manage button by the service listing in all states except Active.
2. Remove the Switch icons on service row expansion in all states except Active.
3. If someone enters the direct URL to the cPanel Extended dashboard it disables all functionality and displays a message that the account is not properly setup (similar to default cPanel module).
4. Add a notification message somewhere in the Admin so an administrator is aware the next time they login.
5. Email an administrator of the failed provision (this might already be an existing Blesta feature).

 

[JaxSite]

Based on my previous post, I set out this evening to fix the current security issue with the following goals in mind:

1. Remove the Manage button by the service listing in all states except Active.
2. Remove the Switch icons on service row expansion in all states except Active.
3. If someone enters the direct URL to the cPanel Extended dashboard it disables all functionality and displays a message that the account is not properly setup (similar to default cPanel module).
4. Add a notification message somewhere in the Admin so an administrator is aware the next time they login.
5. Email an administrator of the failed provision (this might already be an existing Blesta feature).

After getting familiar with Blesta and cPanel Extended codebases, I have fixed the issue and accomplished my first three goals. I'll continue to become more familiar with the codebase so I can complete goals 4 and 5 too.

To accomplish goal #1, I wrapped the template code with a status active check. This removed the Manage button in the Options column of the service row. Here is the code:

/app/views/client/[template]/client_services.pdt

<td>
	<?php
	if ($this->Html->ifSet($status) == "active") {
	?>
	<div class="btn-group">
		<a href="<?php echo $this->Html->safe($this->base_uri . "services/manage/" . $this->Html->ifSet($services[$i]->id) . "/");?>" class="btn btn-xs btn-default">
			<i class="fa fa-cog fa-fw"></i>  <?php $this->_("ClientServices.index.option_manage");?>
		</a>
	</div>
	<?php
	}
	?>
</td>

To accomplish goal #2, I wrapped the containing table row with a status active check. This disables the row expansion feature in all service states except active. Here is the code:

/app/views/client/[template]/client_services.pdt

<?php
// List all services
for ($i=0; $i<$num_services; $i++) {
	if ($this->Html->ifSet($status) == "active") {
	?>
	<tr class="expand service_info">
	<?php
	} else {
	?>
	<tr>
	<?php
	}
?>
	<td><?php $this->Html->_($services[$i]->package->name);?></td>
	<td><?php $this->Html->_($services[$i]->name);?></td>

To accomplish goal #3, I wrapped the sidebar tab building code with a status active check. This removes all of the cPanel Extended tabs and features from the /services/manage/ view. By removing the Manage button in goal #1 above, the average user will never be able to reach this URL. But for the tech savvy, it wouldn't be hard to figure out. And my goal with this fix is to prevent those tech savvy types from causing harm?  So just in case this URL is called, unless the service is active, no manage features are available. Here's the code:

/app/controllers/client_services.php

public function manage() {

	$this->uses(array("Coupons", "ModuleManager"));

	// Ensure we have a service
	if (!($service = $this->Services->get((int)$this->get[0])) || $service->client_id != $this->client->id)
		$this->redirect($this->base_uri);

	$package = $this->Packages->get($service->package->id);
	$module = $this->ModuleManager->initModule($service->package->module_id);
	$module->base_uri = $this->base_uri;

	$method = isset($this->get[1]) ? $this->get[1] : null;

	// Set sidebar tabs
	if ($service->status == "active") {
		$this->buildTabs($service, $package, $module, $method);
	}

I've also attached some screenshots showing the updated UIs where a cPanel Extended service is in PENDING state and management is basically disabled. Overall, I've had a fun night getting familiar with some of the code. Most importantly, I'm happy I was able to fix this security issue for my needs. I welcome any suggestions and advice from the Blesta Developers as well as cyandark. If there's a better way to fix this issue, please share so I can learn in the process. Thanks again for providing this community and everyone here who are so helpful.

Cheers!

 

 

 

[Michael]

You can get a email for a failed to activate: My Info > Notices > Creation Error

[JaxSite]

Thanks for the tip! I've set up the Creation Error email notification now.