cPanel Security Problem - Lets you in with blank username

[TySoft]

Hello,

I've discovered what I perceive as a bit of a security problem. If I cPanel to http://www.cpaneldomain.com:2082, I can log in with the account's password and a blank username.

Any idea why this is happening and how to correct it? Seeing this on 10.8.0 R58.

Thanks!

 

[Izzee]

WHM 10.8.0 cPanel 10.8.0-E84
RedHat 9 i686 - WHM X v3.1.0

I can confirm this is infact the case.
domainname.tld:2082 - no user name required just password

Has this always been like this?
Until TySoft's post I had never tried it?

Perhaps a bug report for this might be in order.

Just upgraded to latest edge and no change to report.
WHM 10.8.0 cPanel 10.8.1-E2
RedHat 9 i686 - WHM X v3.1.0

 

[binaer]

can confirm on FreeBSD 5.1-RELEASE.

On 5.4-RELEASE (FreeBSD), the issue is solved!

 

[Alain Leonard]

Hello,

I'm confirm this security problerm on :

cPanel 10.8.1-R4
FC 2

 

[Myacen]

What happens when two accounts have the same password?

 

[HH-Steven]

I can confirm this aswell :

WHM 10.8.0 cPanel 10.8.1-R4
CentOS 3.5 i686 - WHM X v3.1.0

What happens when two accounts have the same password?

Nothing, just keeps showing the pop up / login until a username is entered.

 

[binaer]

is a Bug-Report already open? When no, who makes one?

 

[Logan]

Reported, http://bugzilla.cpanel.net/show_bug.cgi?id=3392

 

[chirpy]

You should report security issues to [email protected] quoting the bugzilla entry.

 

[Tapan]

Ya and bug is still here.

 

[Zaf]

See the bug in newer release, while I dont see it in 'cPanel 10.6.0-R158'.

 

[Tapan]

Hi,

I don't think R good as it may have some more bugs but atleast S will have less bugs compraed to R. I will stick to S till this is added from R to S.

Thanks.

 

[chirpy]

The latest RELEASE and STABLE versions are effectively equivalent, so that's currently moot.

 

[asterisk]

WHM 10.8.0 cPanel 10.8.1-R30 is fine for those who are on the Release Tree. You might like to try upgrading to that.

 

[cPanelBilly]

This option has actually been available in cPanel for quite some time. It takes the domain that you are logging in with as the username, you cant just log into any domain witht eh password. You still must know the domainname.
ie domain.com/cpanel has the password 'asdf1234'

you cannot go to otherdomainonserver.com/cpanel and use that password as it will not be correct for otherdomainonserver.com

Now if this is something a few of you are not comfertable with you are more than welcome to say this in the bug report and a tweak setting should be able to be added to turn this off, however it really isnt much of security issue.

 

[geeky_devil]

i m having a BIGger problem

i bought the domain from a reseller, he said that the server is in FLORIDA, running Apache, Linux

but dudes

the cPanel is not accepting my pwd.

the man flew to another country, now i dont know WHO to ask, please assist me at [email protected]

 

[chirpy]

i bought the domain from a reseller, he said that the server is in FLORIDA, running Apache, Linux

but dudes

the cPanel is not accepting my pwd.

the man flew to another country, now i dont know WHO to ask, please assist me at [email protected]

Your post appears to have nothing to do with this thread. Regardless, if you're having problems accessing an end-user cPanel account you will have to speak with your web hosting provider.