cpanel bug / Get root access with root password

[brianoz]

I guess currently that cpanel checks for a root password before checking for the user password and I'm suggesting a reversal of order in the checks.

This would be a good, and small, change that would eliminate the security complaint entirely. That is, check for the user password first, and use it as that if it matches, regardless of whether the password matches the root password as well.

[shulshof]

If you guess the root password, you have access to everything on the box. If I guess *your* password, I've got access to everything in your account. That's just the way operating systems work.

In the example of the bug, the person was logged in as a normal user, with the normal user password, which is the same as the root and had access to other accounts. This is NOT the way operating systems work, if your normal user has the same password as root, they do not get root access. Unless of course they log in as root.


But still you have to give this user the same password as root, and I doubt any of us would actually do that


Steve

[shulshof]

IMO, it still keeps coming back to "use a stronger root password." It's really not cPanel's job to protect people from being stupid. If you run a server, it's your responsibility. Use a strong root password to protect it.

Bailey

I agree with the strong root password, make sure it's nothing simple! Actually all passwords should not be simple ever!


IMO It comes down to a flaw in the login process!

A user logging in as themself should not be given superuser information because his password is the the same as root!!!


Now of course in any enviroment if they login as root/administrator/superuser and try their password they get access. But here they login and are TOLD they have the same password and given the access.

Makes you wonder how the login system works!





Steve

[jackie46]

This exact thing happened to us last week. A reseller sent us an email telling us that he could see ever username from the dropdown list from his account.

I checked it out and sure enough there is was. I emailed Cpanel and they told me this is a known bug in Edge and that we should downgrade to Stable. Once we downgraded to S the problem was resolved. So if your running Edge be careful! I can assure you that our reseller did not have our root password.

[chirpy]

Well, you can simply disable this in RELEASE/CURRENT/EDGE now as I mentioned in an earlier post if you want to. though it breaks the ability to connect to the users cPanel account, which is a pain.