cPanel login, security issue

tuxfan

Member
Oct 1, 2006
11
0
151
between chair and keyboard
If a user goes to hisdomain.com/cpanel, he is prompted for a username and a password. But simply entering a password takes him into cPanel, even if the username is left blank.

Does this not reduce the security by 50%? :eek:

I always try to make a somewhat un-common usernames for my cPanel accounts. But that seems useless after I discovered this bug (or feature?). Any solution to this?
 

randomuser

Well-Known Member
Jun 25, 2005
147
0
166
After a few us of bitched long enough about this stupid "feature" it has finally been dealt with, just not in STABLE yet, perhaps not in RELASE as well. It's not a bug, hard to believe I know.
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
tuxfan said:
If a user goes to hisdomain.com/cpanel, he is prompted for a username and a password. But simply entering a password takes him into cPanel, even if the username is left blank.

Does this not reduce the security by 50%? :eek:

I always try to make a somewhat un-common usernames for my cPanel accounts. But that seems useless after I discovered this bug (or feature?). Any solution to this?
To get around this for now:

tweak settings > whm > system
check the two boxes:
Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.
When visiting /cpanel or /whm or /webmail with ssl redirect to the servers hostname.

When you are forced to the login from the host name location, cpanel is no longer associated with a users name, thus they have to know what user name is as well as the password.

And of course for added security, you can force clients to use something other than the assumed user name that cpanel generates from the domain name.
If you have resellers, then oh well... their host provider domain will be revealed.