cPanel File Manager $password bug

Daniel15

Well-Known Member
Oct 7, 2006
86
1
156
Palo Alto, CA (originally Melbourne, Australia)
cPanel Access Level
Website Owner
Twitter
Hi,
Recently, I was informed about an interesting bug in cPanel's File Manager. Basically, if you create a file with contents like the following:
Code:
<?php
$password = "This is a test";
?>
using cPanel's File Manager, save the file, and then reopen it, the contents change to:
Code:
<?php
[cPanel Password] = "This is a test"
?>
It appears that $password is being interpreted by cPanel as a placeholder for the user's cPanel password. I see this as a security risk, as someone could unknowingly save their password into a plaintext file which contains '$password'. I can confirm that this bug is present in version 10.9.0-RELEASE-34 of cPanel. However, it does not occur in the 10.8.2-RELEASE 119 release.

Original report: http://www.cwhnetworks.com/forums/index.php?showtopic=4107