"Login to Control Panel" from within WHMCS Denied

[davet]

I noticed a recent cPanel upgrade was automatically installed to all of our servers a few days ago.

 

WHM 11.32.2 (build 15)

 

Since then I can no longer login to cPanel directly from a customer's profile in WHMCS.

 

It tries to access the page https://cpanel5.primary001.net:2087/xfercpanel/collegeg and returns the following error:

 

==================

HTTP error 401

You do not have permission to access this page from https://interactiveonline.com/support/admin/clientshosting.php?userid=2370&id=2949.

==================

 

Any ideas how to fix this?

[davet]

Strange, I cleared out my browser history and cookies and it is now working fine.

[inyerface]

I clear browser cache, history, etc, and this still happens. Anyone else experience this and have a fix?

[RFEHosting]

YUp ive seen this too, i gave up on trying to get it fixed.

 

Neither cpanel nor WHMCS could find the problem so i gave up.

Started happening on cPanel 11.32 and newer.

[davet]

Here are some settings I had to change in WHM > Tweak Settings to get it working if I recall correctly.

 

Blank referrer safety check: Off

Referrer safety check: Off

Enable HTTP Authentication: Off

Security Tokens: Off

[RFEHosting]

Here are some settings I had to change in WHM > Tweak Settings to get it working if I recall correctly.

 

Blank referrer safety check: Off

Referrer safety check: Off

Enable HTTP Authentication: Off

Security Tokens: Off

 

Well that sounds like it just kills security then.. ?

[inyerface]

Here are some settings I had to change in WHM > Tweak Settings to get it working if I recall correctly.

 

Blank referrer safety check: Off

Referrer safety check: Off

Enable HTTP Authentication: Off

Security Tokens: Off

 

I agree. This is not a safe setting.

[davet]

Setting all of those to Off is the cPanel default (except for Security Tokens). Security Tokens was default as Off a few versions ago in cPanel.

 

Keeping those settings as described is the only way we have gotten the cPanel login to work from WHMCS.

 

Has anyone else found a better solution that allows them to turn those Tweak Settings to On instead and still allow login to cPanel from WHMCS?

[Lawrence]

Here are some settings I had to change in WHM > Tweak Settings to get it working if I recall correctly.

 

Blank referrer safety check: Off

Referrer safety check: Off

Enable HTTP Authentication: Off

Security Tokens: Off

 

I think you meant to say "On" for all of those settings instead of "Off", as using off for "Enable HTTP Authentication" will cause login issues from the client area. Setting the other 3 to On will improve security, while only "Enable HTTP Authentication" could adversely affect it.

[davet]

@larwilliams, What I stated was correct. The default for the following is Off for WHM 11.32.2

 

Blank referrer safety check: Off

Referrer safety check: Off

Enable HTTP Authentication: Off

 

I did go ahead and turn these to On (except for HTTP Authentication), but now any login attempts from WHMCS require me to type in the root password for the server every time.

 

HTTP Authentication should be Off. There's the following warning in Tweak Settings about enabling HTTP Authentication:

 

"Enable HTTP Authentication for cPanel/WebMail/WHM Logins. This risks certain types of XSRF attacks that rely on cached HTTP Auth credentials. Disabling forces cookie authentication."

 

Also CFS > Check Server Security gives a warning about disabling HTTP Authentication if it is turned On.

[Lawrence]

Sorry if I wasn't clear. What I meant was that only the "Enable HTTP Authentication" setting may need to be on. I run several servers with those settings as I provided, with no issues with logins from WHMCS 5.0