Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Hide login password from cgi scripts

Discussion in 'General Discussion' started by Mysteerie, Jun 30, 2013.

  1. Mysteerie

    Mysteerie Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    166
    Hide login password from cgi scripts

    I am trying to find out more about this setting. It's under WHM > Tweak Settings > Security (The description states the following: This setting allows you to hide the REMOTE_PASSWORD environment variable from scripts executed through cpsrvd's cgi handler.)

    So my question is, what scripts use cpsrvd's cgi handler? What would be the ramafication of hiding the REMOTE_PASSWORD environment variable of those scripts?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Beyond the standard CGI scripts that run under WHM, this option can also apply to third-party plugins. The idea behind this option is to make it less convenient to obtain the root password if the root user has been taken over by an attacker and/or a bit less likely that the password will be inadvertently disclosed by a poorly written CGI script.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Mysteerie

    Mysteerie Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    166
    Thank you Michael for responding.

    So basically security through obscurity?

    Also, why is it disabled by default?

    Lastly, is it possible for 3rd party cgi scripts to stop working when enabled?
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    It's disabled by default because some scripts executed through cpsrvd's CGI handler may still need the REMOTE_PASSWORD value. It's possible a third-party application could also need the REMOTE_PASSWORD value.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice