cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

remove the use of .contactemail hidden file

cat1234 shared this idea 3 years ago
Open Discussion

As a web-hosting provider I would like to remove the use of .contactemail hidden file so that hackers / bots cannot change cPanel passwords and gain total access to a cPanel account.

=====================================

After a hacker / bot has hacked a Joomla, Wordpress or other system which a user has not updated or patched, it is possible for the hacker / bot to upload .contactemail file and then use the Password Reset feature to change cPanel password and then gain total access to the cPanel of the web hosting account of the hacked website. The feature request is to remove the use of such .contactemail hidden file to remove this loophole. Perhaps the way to store user to set contact information is via a database which cannot be edited via any means other than a tool provided inside cPanel. Also, there should be an email verification process when the user changes its contact email address.

Comments (2)

photo
1

Also, related. The 'reset password' feature at the webmail login quite simply doesn't work (v90) (according to in motion hosting support at least). The password reset appears to only work with the cpanel user, but the reset password link appears at:

domain.tld/webmail


and does NOT pull the .contactemail address to use as its address to send reset requests to (but does populate a mysterious email reset hint).


having this individual email account reset password feature appear, but be non-functional is pretty frustrating for end users and the admins who try to support them.


Please get that feature working, or remove the individual email password reset link until you do.


Thanks.


pb

Leave a Comment
 
Attach a file