Huge cPanel Bug, Passwords...

[DjiXas]

1. Entered cPanel
2. Changed root password to:

Ggu,2M,8)Uh~GZ1C!m1G6*V,kK/BB/X&hzn.Ic=l99935;.luy

3. Can't access root anymore... Says password is incorrect, same with shell. Why add change root pass link to whm when it does not work?

Same with accounts transfer, when using hard passwords, copy multiple accounts from server will give a password error, although password is correct.

[cpanelkenneth]

1. Entered cPanel
2. Changed root password to:

Ggu,2M,8)Uh~GZ1C!m1G6*V,kK/BB/X&hzn.Ic=l99935;.luy

3. Can't access root anymore... Says password is incorrect, same with shell. Why add change root pass link to whm when it does not work?

Same with accounts transfer, when using hard passwords, copy multiple accounts from server will give a password error, although password is correct.

I'm not able to reproduce the first scenario in 11.25.0-CURRENT_42048

Changing root's password via WHM ( port 2087 ) encountered no issues. I was able to log out, log in and perform normal work with the supplied password.

The situation is different for account transfers. Passwords are piped to a shell process and I think the data is not properly quoted or escaped ( indeed some characters cannot ever be quoted are escaped from shell processing ). This means the shell will take meta characters, such as &!, and process them.

[Luke Carrier]

Kenneth; doesn't that pave the way to enormous exploits then? If this same issue is present in the cPanel interface and the shell were to parse the ';' character, that would be more than a little concerning, would it not?

I would seriously like to know just how seriously (or maybe not as the case might be) you guys take security...we've noticed multiple security flaws which could easily have been spotted and fixed if the code was audited before being pushed out the door. I know a lot of other companies have experience of these issues too.

It also worries me that the fixes can often take ages to be backported from EDGE down to STABLE - not a single one of the release trees is stable, secure and up to date. Then there's the use of outdated, buggy software through EasyApache and the numerous performance enhancements you force us to miss out on by relying on old versions of MySQL, PostgreSQL, PHP and the like. Frustrating.

[BianchiDude]

The situation is different for account transfers. Passwords are piped to a shell process and I think the data is not properly quoted or escaped ( indeed some characters cannot ever be quoted are escaped from shell processing ). This means the shell will take meta characters, such as &!, and process them.

Wouldn't it be just transferring a hash and not the actual password?

[cpanelkenneth]

Actually part of my statement was incorrect. While the password is passed to a shell process, passing it by means of a pipe does not subject the data to processing by the shell.

My apologies for the mis-information.