The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hide login password from cgi scripts

Discussion in 'General Discussion' started by Mysteerie, Jun 30, 2013.

  1. Mysteerie

    Mysteerie Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    16
    Hide login password from cgi scripts

    I am trying to find out more about this setting. It's under WHM > Tweak Settings > Security (The description states the following: This setting allows you to hide the REMOTE_PASSWORD environment variable from scripts executed through cpsrvd's cgi handler.)

    So my question is, what scripts use cpsrvd's cgi handler? What would be the ramafication of hiding the REMOTE_PASSWORD environment variable of those scripts?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Beyond the standard CGI scripts that run under WHM, this option can also apply to third-party plugins. The idea behind this option is to make it less convenient to obtain the root password if the root user has been taken over by an attacker and/or a bit less likely that the password will be inadvertently disclosed by a poorly written CGI script.

    Thank you.
     
  3. Mysteerie

    Mysteerie Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    16
    Thank you Michael for responding.

    So basically security through obscurity?

    Also, why is it disabled by default?

    Lastly, is it possible for 3rd party cgi scripts to stop working when enabled?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's disabled by default because some scripts executed through cpsrvd's CGI handler may still need the REMOTE_PASSWORD value. It's possible a third-party application could also need the REMOTE_PASSWORD value.

    Thank you.
     
Loading...

Share This Page