cPanel information disclosure via env.cgi file

CGI Environment Variables are used to display information when debugging applications or to pass that information to another script. If you search google for “env.cgi” you will find thousands of files that disclose sensitive information to the public, one example is: http://staff.washington.edu/ken/env.cgi

File /backend/env.cgi is accessible to any logged-in cPanel user and displays information such as cpanel username, password, and cp_security_token.

It’s a simple file that displays all environment variables:

foreach my $env ( sort keys %ENV ) {
    print "${env} = $ENV{$env}\n";
}

Because the fie is only visible to logged-in users, how can it be misused?

  1. Phishing emails sent to a logged-in cpanel user that will open this file from the user side and send sensitive information to the attacker
  2. Information can be accidentally disclosed when making video tutorials (streaming)

The real question is why this file was put into production on cPanel. Is it a leftover of cPanel developers’ testing, or does it actually serve a purpose? I don’t see anything malfunctioning inside WHM or cPanel after removing the file, thus it appears that is just a leftover file..


UPDATE: I’ve opened a new thread on cpanel.net forums: What’s the purpose of ../backend/env.cgi and hopefully I’ll have more information soon. 🙂

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.