Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Api, Password strengh problem

Discussion in 'cPanel Developers' started by chposter, Mar 21, 2013.

  1. chposter

    chposter Active Member

    Joined:
    May 9, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Hello

    While using PasswdStrength we receive this error if we use root user

    Could not setuid to root at /usr/local/cpanel/Whostmgr/XMLUI/cPanel.pm

    So we need an existing user to check the password Strength .

    Is there a way to check this without an user? For example when creating accounts. Sometimes there are no users in the box, for example.

    Thanks
     
    #1 chposter, Mar 21, 2013
  2. CharlesBoyd

    CharlesBoyd Member

    Joined:
    May 29, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    The passwdstrength API calls are expected to be run as cPanel user, though it is possible to check passwdstrength as root user with the privilege escalation mechanism provided by the cPanel API.

    Note: I should mention that I think this would not be a good idea and is not an advisable thing to do. Escalating privileges to root for checking password strength of cPanel users provides no advantage, and I would not recommend using API to set/check strength of root password. If you do choose to do this anyway, do *not* use it on a production system until you have thoroughly tested it on a staging server.

    Privilege Escalation with cPanel API Calls

    The reason I recommend against this is simply that when privileges are escalated to root before checking password strength, if your implementation is not very careful and has any security vulnerabilities, then an attacker could use it to leverage a root exploit as an unprivileged local user.

    Programs that setuid() from an unprivileged user to root can be very dangerous.

    Even though your program would only accept a single string (the prospective password) as input, it might be surprising what a malicious user could do with just a string:

    "An innocent looking omission can provide an attacker with just enough leverage to ruin your day."

    http://seclists.org/bugtraq/2000/Sep/214
     
    #2 CharlesBoyd, Mar 25, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - Password strengh problem
  1. plesk4lyf

    exim / dovecot show password

    plesk4lyf, Jan 6, 2019, in forum: E-mail Discussion
    Replies:
    1
    Views:
    280
    cPanelMichael
    Jan 9, 2019
  2. Sarako

    In Progress [CPANEL-25044] Force password change for users?

    Sarako, Dec 21, 2018, in forum: Security
    Replies:
    4
    Views:
    382
    cPanelLauren
    Jan 14, 2019 at 1:22 PM
  3. xylin110

    SOLVED [CPANEL-24361] 500 Error when browsing to Invite and Reset Password URLs

    xylin110, Dec 12, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    299
    cPanelMichael
    Dec 13, 2018
  4. Kumar787

    How to Password Protect multiple WP-Admin folders

    Kumar787, Dec 10, 2018, in forum: Security
    Replies:
    1
    Views:
    304
    cPanelMichael
    Dec 17, 2018
  5. GloryDays

    Password protect site

    GloryDays, Dec 3, 2018, in forum: Security
    Replies:
    10
    Views:
    332
    DemonMaestro
    Dec 6, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice