The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Autocomplete enabled? Another SecurityMetrix failure. What can I do about this one?

Discussion in 'Security' started by jols, Feb 21, 2011.

  1. jols

    jols Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    TCP 2082 3
    Description: Autocomplete enabled for password input (/login/)
    #############Linux 2.6.9 - 2.6.30Feb 20 01:42:34 2011newSeverity:
    Potential Problem 2.62735new11Impact: Poor authentication practices may leave the
    web application vulnerable to authentication attacks. Background: Some web
    applications perform authentication by requiring a user to enter a login and
    password into an HTML form. This type of authentication is achieved using the HTML
    INPUT element with the type attribute set to password. Resolution To use HTML form-
    based authentication more securely in web applications, do the following: Remove
    the value attribute from the INPUT tag corresponding to the password field. Submit
    all forms to an SSL-enabled (https) service using the form's action attribute. Place all
    protected web directories on an SSL-enabled (https) service. Use the
    autocomplete="off" attribute in the INPUT tag corresponding to the password field.
    Vulnerability Details: Service: 2082:TCP Received: <input id="pass"
    type="password" name="pass" size="16" tabindex="2" /></td>

    Is this a basic cPanel or Apache thing we an switch off, or are they just telling us that all 200 accounts need their own SSL certs, etc.?
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Oct 2, 2010
    Likes Received:
    Trophy Points:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: Autocomplete enabled? Another SecurityMetrix failure. What can I do about this on

    Hello jols,

    You would want to change to only using https authentication for the cPanel services to pass this one. It is mentioning 2082 which is the insecure http cPanel login. In WHM > Tweak Settings, you can select:

    This would then force https for all of the cPanel, WHM and Webmail logins.

    If this is already selected, it's possible that 2082 is still opened for some reason. Simply close it off in the firewall.


Share This Page