The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 108473] change in password creates .my.cnf in home directory

Discussion in 'Security' started by sjwrick, Aug 18, 2014.

  1. sjwrick

    sjwrick Member

    Joined:
    Jan 9, 2014
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Curious thing.

    running CENTOS 6.5 x86_64 kvm – storm2 WHM 11.44.1 (build 15)

    I host a number of domains.

    When setting the password for the domain in cPanel (List --> "+" --> "Change Password"

    I find that a file .my.cnf is created in the home directory. This file contains the domain username and password:

    Code:
    [meuser@storm2 ~]# ls -l /home/liliana/.my.cnf 
    -rw------- 1 liliana liliana 39 Aug 18 08:40 /home/liliana/.my.cnf
    
    and ....

    Code:
    [meuser@storm2 ~]#cat /home/domainuser/.my.cnf 
    [client]
    password=m<pasword set in cPanel>
    user=domainuser[/INDENT]
    
    Is this Standard Operating Procedure?

    Interesting that it is not encrypted.
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Yes, that is normal behavior. The MySQL credentials in the .my.cnf file are used to log into phpMyAdmin and to install and uninstall Site Software, and the password is stored in plain text in that file.
     
  3. sjwrick

    sjwrick Member

    Joined:
    Jan 9, 2014
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks. Nice to know.

    Now to sleep.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Is this a new behavior? I did not have any user level .my.cnf files on my server, and I change passwords relatively frequently. I never had any problems accessing phpmyadmin without the .my.cnf file there.

    I notice now if I change one through list accounts that a .my.cnf is indeed created. While the permissions being 600 certainly helps keep it restricted to that user, I still would like to know why this default behavior changed. This could lead to simple LFI attacks disclosing a plain text cPanel password.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The change you notice likely stems from internal case number 96117 that was introduced in cPanel version 11.44:

    Fixed case 96117: Update users .my.cnf when Synchronize MySQL password is selected.

    The issue was brought up with our developers in internal case number 108473, but it was determined to be by design. Thus, a feature request would be necessary to see a change in this behavior:

    Submit A Feature Request

    Thank you.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I'll be calling someone on the security team then. It's pretty unacceptable to store the CP PW in plain text; anyone with an addon domain or ftp docroot in public_html has access to the password.

    If nothing else, it should be default to create a different mysql password (one that is not the cPanel password) if the MySQL PW must be stored in plain text now. I don't see why it even needs to be in the first place though.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's important to note that this file is stored in the account's home directory (/home/$username) and not in the public_html directory. That does not make much of a difference regarding your concerns, but I wanted to point that out to other users who may see this thread. Please let us know if you the security team provides you with a case number and we can update this thread with the outcome.

    Thank you.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Agreed, quizknows. This may be by design, but the design needs redesigned. Clearly.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I see the title has had the case number added to it, this is the same case number provided to me in my correspondence with the security team.

    I look forward to a resolution, thank you.
     
  10. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I just want to add my support for changing this. Storing the cpanel login details - or the mysql login details in a plain text file anywhere in the account is just not acceptable.
     
  11. vendeka

    vendeka Registered

    Joined:
    Aug 10, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I also want it to be changed because 'Storing the cpanel login details - or the mysql login details in a plain text file anywhere in the account is just not acceptable'
     
  12. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Yeah that is absolutely insane. Although not as blatant as if one would put their cPanel password in /home/<account>/public_html/this_is_my_cpanel_password.txt, it's pretty close. Any vulnerable script on the account can be immediately used to garner the password [plaintext in a known location on every cPanel server] and then account login. If the account has SSH available, somebody can jump right in via SSH and pick away until they find something else exploitable. Let's face it, 99 times out of 100 a user who changes their password likely syncs it with MySQL.

    Reminds me of Filezilla and their stance for the longest time [and maybe still] that it's perfectly okay by default to store FTP login credentials in a plaintext file on your machine, so that when your machine gets infected the infecting program knows exactly where to go to look for FTP login credentials.

    This is disappointing. Somebody at cPanel should be yelling "what were you thinking!"

    Mike
     
  13. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I think you guys are looking at this all wrong. It's not a bug, it's a feature! Now, when the customer complains that they can't remember their password, just go look in .my.cnf! Problem solved! No messy password resets needed! Even better -- put up a KB article and explain how they can look for themselves. Think of the time savings!

    I hope we can replicate this design to email accounts, so I have an easy way of seeing everyone's email passwords, too. Maybe they can be stored in plain text in the user's root at /.my.email.passwords (better yet, use /.my.3mai1.pa$$w0rds for security). I'll get the feature request submitted. You're welcome.

    - Scott
     
  14. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Thanks Scott! That certainly would make my life easier. Damned customers are always forgetting their email passwords. This would free up that support time for more important things, like suspending breached acccounts!

    M
     
  15. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    While I can usually appreciate sarcasm, this is a serious issue. I do thank everyone for their support (and the laughs).

    I've been assured this is being addressed, but I have not been supplied with a timeline. I'd mention another current event that increases the severity of this significantly, but the hackers haven't figured it out yet, so I'm in no hurry to post it publicly.
     
    #15 quizknows, Sep 16, 2014
    Last edited: Sep 16, 2014
    sneader likes this.
  16. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Indeed it is a serious issue -- and serious issues often call for a little levity. For those of us who are on call 24/7/365 in this forsaken business, you have to have something to laugh about.

    I'm glad to hear cPanel has assured you that this is being addressed. Hopefully the other 'current event' you are referring to is also being addressed by the parties responsible for doing so.

    I appreciate the fact that sjwrick posted about it so that we could all be aware.

    Take it easy.

    M
     
  17. ianmarie

    ianmarie Well-Known Member

    Joined:
    Mar 27, 2006
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    storing passwords, especially main account passwords, in plain text is a security issue - anyone who has had the experience of an account compromise knows this, so I am very surprised that cpanel has allowed this through, and those who favour convenience have probably never suffered from the tragedy that can strike.

    csx scans specifically highlight files where the cpanel password is stored, for attention/action as a security risk

    for now, I am deleting the ones I find

    so - the question now becomes, "what will not work if this file does not exist"?
     
  18. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Nothing. It doesn't need to be there. PHPmyAdmin does not need that file, it can use the cPanel session data and does so with priority over a .my.cnf file.

    The only need for a .my.cnf file IMO is so you can call mysql from the bash command line without needing your password.

    This needs to be fixed yesterday. BTW, the people calling it a convenience are being sarcastic ;)
     
  19. bgardmore

    bgardmore Member

    Joined:
    Nov 20, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Why waste the developers time making this a feature request - its already a feature ( sic)
    The information available is already all that is required to access the email accounts, change passwords or indeed just use the default email account straight out of the tin.
     
  20. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I'm deleting the my.cnf files every day via cron - but that's obviously not an adequate resolution.

    In the last ten years of using cPanel, I've not seen such a glaringly stupid oversight as this. What an embarrassing mistake. It makes them look like amateurs. Seemingly no idea about security whatsoever.

    I'm also astounded that they haven't fixed it yet. I'm honestly looking at alternatives to cpanel now. If this doesn't get resolved soon - cpanel will lose a long standing customer.

    Very disappointed.
     
Loading...

Share This Page