selective disabling of /cpanel link. I have problem in shared hosting, I want CPANEL have ability to change the cpanel link for each specific domain in shared hosting. for example some of website will use http://www.mydomain.com/cpanel link. but other user may don't want to use this kind of link address, they maybe want to use their own custom CPANEL link address! THANKS if you can bring this feature. All End User want this feature for security purpose.
URL shortcuts like example.com/cpanel - ability to disable those ScriptAliasMatch directives
Open Discussion
It would be nice to be able to disable cPanel's default URL shortcuts such as http://www.example.com/webmail/ through the WHM or cPanel interface if it's not desired for those to be available to websites. Currently they have to be commented out in the httpd.conf file and then you run /usr/local/cpanel/bin/apache_conf_distiller --update, but when the conf gets rebuilt they get uncommented (or added back in if you had deleted them).
- ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
- ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
- ScriptAliasMatch ^/?kpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
- ScriptAliasMatch ^/?securecontrolpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
- ScriptAliasMatch ^/?securecpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
- ScriptAliasMatch ^/?securewhm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
- ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi
- ScriptAliasMatch ^/Autodiscover/Autodiscover.xml /usr/local/cpanel/cgi-sys/autodiscover.cgi
- ScriptAliasMatch ^/autodiscover/autodiscover.xml /usr/local/cpanel/cgi-sys/autodiscover.cgi
- ScriptAliasMatch ^/?webmail(/.*|/?)$ /usr/local/cpanel/cgi-sys/wredirect.cgi
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Hi let me know if you have added this feature?
Hi let me know if you have added this feature?
This is important if you use Cloudflare. As such shortcuts are not behind Cloudflare and thus immediately reveal your true IP Address.
Having this option can actually improve security. Would like to see this as a per account setting
This is important if you use Cloudflare. As such shortcuts are not behind Cloudflare and thus immediately reveal your true IP Address.
Having this option can actually improve security. Would like to see this as a per account setting
I believe there is already a feature request for this.
I believe there is already a feature request for this.
This has become more important as some PCI scans flag /controlpanel as vulnerable to ClickJacking like:
Title:
Web Application Potentially Vulnerable to Clickjacking.
Synopsis
The remote web server may fail to mitigate a class of web application vulnerabilities.
Impact:
The remote web server does not set an X-Frame-Options response header in all content responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. X-FrameOptions has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors. Note that while the XFrame-Options response header is not the only mitigation for clickjacking, it is currently the most reliable method to detect through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions. See also : http://www.nessus.org/u?1bced8d9 https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet http://en.wikipedia.org/wiki/Clickjacking
Resolution:
Return the X-Frame-Options HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.
Data Received:
The following pages do not use an X-Frame-Options response header: http://domain.tld/controlpanel
This has become more important as some PCI scans flag /controlpanel as vulnerable to ClickJacking like:
Title:
Web Application Potentially Vulnerable to Clickjacking.
Synopsis
The remote web server may fail to mitigate a class of web application vulnerabilities.
Impact:
The remote web server does not set an X-Frame-Options response header in all content responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. X-FrameOptions has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors. Note that while the XFrame-Options response header is not the only mitigation for clickjacking, it is currently the most reliable method to detect through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions. See also : http://www.nessus.org/u?1bced8d9 https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet http://en.wikipedia.org/wiki/Clickjacking
Resolution:
Return the X-Frame-Options HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.
Data Received:
The following pages do not use an X-Frame-Options response header: http://domain.tld/controlpanel
Replies have been locked on this page!