Hide login password from cgi scripts

Mysteerie

Well-Known Member
Dec 29, 2003
129
0
166
Hide login password from cgi scripts

I am trying to find out more about this setting. It's under WHM > Tweak Settings > Security (The description states the following: This setting allows you to hide the REMOTE_PASSWORD environment variable from scripts executed through cpsrvd's cgi handler.)

So my question is, what scripts use cpsrvd's cgi handler? What would be the ramafication of hiding the REMOTE_PASSWORD environment variable of those scripts?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Beyond the standard CGI scripts that run under WHM, this option can also apply to third-party plugins. The idea behind this option is to make it less convenient to obtain the root password if the root user has been taken over by an attacker and/or a bit less likely that the password will be inadvertently disclosed by a poorly written CGI script.

Thank you.
 

Mysteerie

Well-Known Member
Dec 29, 2003
129
0
166
Thank you Michael for responding.

So basically security through obscurity?

Also, why is it disabled by default?

Lastly, is it possible for 3rd party cgi scripts to stop working when enabled?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
It's disabled by default because some scripts executed through cpsrvd's CGI handler may still need the REMOTE_PASSWORD value. It's possible a third-party application could also need the REMOTE_PASSWORD value.

Thank you.