Possible Vulnerability with ProFTPD - Site User Account Accessing Root Directory #114

New Issue

Closed

opened 2026-04-05 20:25:31 +02:00 by MrUnknownDE · 0 comments

MrUnknownDE commented 2026-04-05 20:25:31 +02:00

Owner

Copy Link

Originally created by @ipelweb on 3/26/2025

CloudPanel version(s) affected

2.5.1-4

Description

I’m testing CloudPanel for the first time and I really like it! Great work!

However, I noticed an issue when logging in via FTP with the site user account: it allows access to all server files, up to the root directory.

The site user account should be restricted to accessing only the site's files (/home/xxx) and not the entire server directory structure.

This issue doesn’t occur when creating and using a "normal" FTP User.

I'm not an expert, maybe it's not even a bug, just want to let you know this.

How to reproduce

Log in via FTP using the site user account in FileZilla.

After logging in, click the "up one level" button (the two dots) to navigate to the parent directory.

You will be able to access the server root directory and view/edit all server files.

This issue does not occur if you create and use a dedicated FTP account.

Possible Solution

I resolved this by editing the ProFTPD configuration file located at:

/etc/proftpd/proftpd.conf

from

DefaultRoot ~ ftp-user

to

DefaultRoot ~

Additional Context

No response

*Originally created by @ipelweb on 3/26/2025* ### CloudPanel version(s) affected 2.5.1-4 ### Description I’m testing CloudPanel for the first time and I really like it! Great work! However, I noticed an issue when logging in via FTP with the **site user account**: it allows access to all server files, up to the root directory. The site user account should be restricted to accessing only the site's files (/home/xxx) and not the entire server directory structure. This issue doesn’t occur when creating and using a "normal" FTP User. I'm not an expert, maybe it's not even a bug, just want to let you know this. ### How to reproduce Log in via FTP using the site user account in FileZilla. After logging in, click the "up one level" button (the two dots) to navigate to the parent directory. You will be able to access the server root directory and view/edit all server files. This issue does not occur if you create and use a dedicated FTP account. ### Possible Solution I resolved this by editing the ProFTPD configuration file located at: `/etc/proftpd/proftpd.conf` from `DefaultRoot ~ ftp-user ` to `DefaultRoot ~` ### Additional Context _No response_

MrUnknownDE closed this issue 2026-04-05 20:25:31 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

v2.5.3

v2.5.1

v2.5.2

v2.5.0

v2.4.2

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.2.1

v2.2.2

v2.2.0

v2.1.0

v2.0.4

v2.0.3

v2.0.1

v2.0.2

v2.0.0

v1.0.7

v1.0.5

v1.0.6

v1.0.3

v1.0.3rc

v1.0.4

v1.0.2

v1.0.1

v1.0.0

Labels

Clear labels

In progress

In progress

In progress

In progress

In progress

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

feedback needed

feedback needed

help wanted

improvement

improvement

improvement

improvement

patch available

patch available

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

MrUnknownDE

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/cloudpanel-ce#114