Hide login password from cgi scripts

[Mysteerie]

Hide login password from cgi scripts

I am trying to find out more about this setting. It's under WHM > Tweak Settings > Security (The description states the following: This setting allows you to hide the REMOTE_PASSWORD environment variable from scripts executed through cpsrvd's cgi handler.)

So my question is, what scripts use cpsrvd's cgi handler? What would be the ramafication of hiding the REMOTE_PASSWORD environment variable of those scripts?

 

[cPanelMichael]

Hello

Beyond the standard CGI scripts that run under WHM, this option can also apply to third-party plugins. The idea behind this option is to make it less convenient to obtain the root password if the root user has been taken over by an attacker and/or a bit less likely that the password will be inadvertently disclosed by a poorly written CGI script.

Thank you.

 

[Mysteerie]

Thank you Michael for responding.

So basically security through obscurity?

Also, why is it disabled by default?

Lastly, is it possible for 3rd party cgi scripts to stop working when enabled?

 

[cPanelMichael]

It's disabled by default because some scripts executed through cpsrvd's CGI handler may still need the REMOTE_PASSWORD value. It's possible a third-party application could also need the REMOTE_PASSWORD value.

Thank you.