cPanel TSR-2014-0006 Full Disclosure

Case 108965


Bypass of account suspension via mod_userdir.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.


The fix for case 101677 in TSR-2014-0005 introduced a regression in account suspensions that allowed the web content of a suspended account to be viewed normally via Apache userdir style URLs. This has been corrected so that both NameVirtualHost and userdir access to the suspended account’s web content is blocked.


This issue was discovered by the cPanel Security Team.


This issue is resolved in the following builds:

For the PGP-signed message, see: