Why is this done?

**volcano** · 04-12-2004, 07:29 PM

Sorry if this has been posted elsewhere before..Search returned nothing.

I was just browsing throug hmy CPanel control panel when I went into the "FTP Account Maintenance" section.

To my shock, my clear text password is in the URL that links to the FTP download of the logfiles!

ftp://myaccount_logs

assword@ftp.myserver/myserver.com

Will this be changed in the future?

**SarcNBit** · 04-12-2004, 08:46 PM

When using standard FTP, your password is transmitted in plain text. You need to know your password to login to your cpanel right? So what is the big deal?

I agree that uname

w combinations should not be sent via URL links under any circumstances and I understand your concern that your password is "on display" for anyone that might be walking by, but FTP is a security issue anyway you slice it.

**jandafields** · 06-24-2004, 11:05 AM

Originally posted by SarcNBit
When using standard FTP, your password is transmitted in plain text. You need to know your password to login to your cpanel right? So what is the big deal?

I agree that unamew combinations should not be sent via URL links under any circumstances and I understand your concern that your password is "on display" for anyone that might be walking by, but FTP is a security issue anyway you slice it.

But, according to cpanel, all our passwords are stored as a 1-way hash, so how does cpanel know our password? It must be stored as plain-text on the server!!! This is VERY BAD

**chirpy** · 06-24-2004, 12:20 PM

n/m

**jandafields** · 06-24-2004, 12:57 PM

With the password being embedded into the links, that causes the password to be saved in the Internet Explorer history. This is different than sniffing the password when you type it in...

**jandafields** · 06-24-2004, 01:53 PM

Originally posted by thaphantom
I believe it is stored in a cookie, when u log out or close the browser the cookie gets eaten byt the cookiemonster

That is only if you click on File -> Login As...

CPanel is embedding it into the url, which is added to the history.

**jandafields** · 06-24-2004, 02:38 PM

Originally posted by thaphantom
only if you use the ftp logs. which opens an ftp conection.

That's exactly what I have been talking about...

**SarcNBit** · 06-24-2004, 07:28 PM

Originally posted by jandafields
With the password being embedded into the links, that causes the password to be saved in the Internet Explorer history.

I thought IE was no longer supporting that method.

**jandafields** · 06-24-2004, 07:38 PM

Actually, I read that earlier today somewhere (IE not allowing that syntax anymore). Another good reason to get rid of the password in the links (just let IE prompt you for it)...

**bouncer** · 06-25-2004, 09:50 AM

Just another reason why you should log in to cpanel using the secure connection

**rockstar** · 06-27-2004, 01:51 AM

Why not use a free piece of software that is more reliable than Microshaft? FileZilla is free, works like a champ and is a hell of a lot more stable than the crap that MS puts out there.

Forums

Thread: Why is this done?

LinkBack

Thread Tools

Why is this done?

cPanel & WHM

Enkompass

Help

Community

Company

Connect with Us