SOLVED CPANEL-40481 - Issue using whmapi1 CLI to reset password

Operating System & Version
CloudLinux release 7.9
cPanel & WHM Version
102.0 (build 11)
G

garhiyal

Member
PartnerNOC
Nov 10, 2010
8
0
51
When using WHM API1 via CLI , if the user's password begins with @ , your system throws up the following error.

[[email protected] ~]# whmapi1 --output=jsonpretty passwd user='user' password="@samudra123"
Cpanel::Exception::IO::FileNotFound/(XID zjsfdw) The system cannot find a file named “samudra123”.
at /usr/local/cpanel/Cpanel/LoadFile.pm line 73.
Cpanel::LoadFile::_open("samudra123") called at /usr/local/cpanel/Cpanel/LoadFile.pm line 121
Cpanel::LoadFile::_load_r(CODE(0x81f730), "samudra123") called at /usr/local/cpanel/Cpanel/LoadFile.pm line 103
Cpanel::LoadFile::load("samudra123") called at bin/apitool.pl line 221
bin::apitool::_process_one_argument("\@samudra123", 1) called at bin/apitool.pl line 236
bin::apitool::_process_arguments(ARRAY(0x838840), 1) called at bin/apitool.pl line 193
bin::apitool::_whm_parse_args(__CPANEL_HIDDEN__, HASH(0x1dd4df0), __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, ARRAY(0x838840)) called at bin/apitool.pl line 92
bin::apitool::run(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at bin/apitool.pl line 40

Apart from not being able to set the password that begins from @ , though it may seems exaggerated, but a well a crafted requested maybe able to exploit other aspects which maybe beyond this functionality

I have not tested it with other password sequences. I believe the input parameters should be character proof of at-least all ASCII characters.

Server's cPanel version is 102.0 (build 11)

Thanks

Kirti Singh
 
Last edited by a moderator:
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
14,399
2,255
363
cPanel Access Level
Root Administrator
I did hear back from our developers that this is actually intended behavior with the API system. "@" is one of the special characters in URI encoding, which is outlined here:

URL encoding - Wikipedia

en.wikipedia.org en.wikipedia.org

so anything starting with @ for a URI value is interpreted as a file name. Here are some more details from the whmapi help file:

Code: 
[[email protected] /]# whmapi1 --help
whmapi1

Utility to execute WHM API calls

    whmapi1 [options] [function] [uri-key=uri-value] [uri-key=uri-value] ....

    Additional documentation is available at https://go.cpanel.net/whmapi1

    IMPORTANT: “uri-key” and “uri-value” represent URI-escaped strings.

    If “uri-value” begins with “@”, it is treated as a file name from which to
    read (without URI-escaping).
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
E New Thread cPanel Restric Access for Specifi User Security 0
B In Progress CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl Security 5
I command line password generator from the whm/cpanel UI Security 1
I SOLVED CPANEL-42469 - New cPanel installs ModSec Tools Hits empty/stopped Security 8
W SOLVED CPANEL-42410 - ClamAV CVE-2023-20032 & CVE-2023-20052, RCE with 9.8 CVSS Security 7
Similar threads
New Thread cPanel Restric Access for Specifi User
In Progress CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl
command line password generator from the whm/cpanel UI
SOLVED CPANEL-42469 - New cPanel installs ModSec Tools Hits empty/stopped
SOLVED CPANEL-42410 - ClamAV CVE-2023-20032 & CVE-2023-20052, RCE with 9.8 CVSS
Top Bottom