remove the use of .contactemail hidden file
As a web-hosting provider I would like to remove the use of .contactemail hidden file so that hackers / bots cannot change cPanel passwords and gain total access to a cPanel account.
=====================================
After a hacker / bot has hacked a Joomla, Wordpress or other system which a user has not updated or patched, it is possible for the hacker / bot to upload .contactemail file and then use the Password Reset feature to change cPanel password and then gain total access to the cPanel of the web hosting account of the hacked website. The feature request is to remove the use of such .contactemail hidden file to remove this loophole. Perhaps the way to store user to set contact information is via a database which cannot be edited via any means other than a tool provided inside cPanel. Also, there should be an email verification process when the user changes its contact email address.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Hello,
We've implemented a fix for this such that we no longer make use of this file as a requirement. This was added in v106 which was shipped in 2022.
Docs: https://docs.cpanel.net/release-notes/106-release-notes/#new-tweak-setting-to-allow-insecure-contact-email-update
Hello,
We've implemented a fix for this such that we no longer make use of this file as a requirement. This was added in v106 which was shipped in 2022.
Docs: https://docs.cpanel.net/release-notes/106-release-notes/#new-tweak-setting-to-allow-insecure-contact-email-update
https://forums.cpanel.net/threads/cpanel-18704-an-indirect-way-to-change-cpanel-passwords.661145/
https://forums.cpanel.net/threads/cpanel-18704-an-indirect-way-to-change-cpanel-passwords.661145/
Also, related. The 'reset password' feature at the webmail login quite simply doesn't work (v90) (according to in motion hosting support at least). The password reset appears to only work with the cpanel user, but the reset password link appears at:
domain.tld/webmail
and does NOT pull the .contactemail address to use as its address to send reset requests to (but does populate a mysterious email reset hint).
having this individual email account reset password feature appear, but be non-functional is pretty frustrating for end users and the admins who try to support them.
Please get that feature working, or remove the individual email password reset link until you do.
Thanks.
pb
Also, related. The 'reset password' feature at the webmail login quite simply doesn't work (v90) (according to in motion hosting support at least). The password reset appears to only work with the cpanel user, but the reset password link appears at:
domain.tld/webmail
and does NOT pull the .contactemail address to use as its address to send reset requests to (but does populate a mysterious email reset hint).
having this individual email account reset password feature appear, but be non-functional is pretty frustrating for end users and the admins who try to support them.
Please get that feature working, or remove the individual email password reset link until you do.
Thanks.
pb
Hello,
We've implemented a fix for this such that we no longer make use of this file as a requirement. This was added in v106 which was shipped in 2022.
Docs: https://docs.cpanel.net/release-notes/106-release-notes/#new-tweak-setting-to-allow-insecure-contact-email-update
Hello,
We've implemented a fix for this such that we no longer make use of this file as a requirement. This was added in v106 which was shipped in 2022.
Docs: https://docs.cpanel.net/release-notes/106-release-notes/#new-tweak-setting-to-allow-insecure-contact-email-update
Replies have been locked on this page!