The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Huge cPanel Bug, Passwords...

Discussion in 'Security' started by DjiXas, Dec 15, 2009.

  1. DjiXas

    DjiXas Well-Known Member

    Joined:
    Feb 10, 2007
    Messages:
    294
    Likes Received:
    0
    Trophy Points:
    16
    1. Entered cPanel
    2. Changed root password to:

    Ggu,2M,8)Uh~GZ1C!m1G6*V,kK/BB/X&hzn.Ic=l99935;.luy

    3. Can't access root anymore... Says password is incorrect, same with shell. Why add change root pass link to whm when it does not work?

    Same with accounts transfer, when using hard passwords, copy multiple accounts from server will give a password error, although password is correct.
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I'm not able to reproduce the first scenario in 11.25.0-CURRENT_42048

    Changing root's password via WHM ( port 2087 ) encountered no issues. I was able to log out, log in and perform normal work with the supplied password.

    The situation is different for account transfers. Passwords are piped to a shell process and I think the data is not properly quoted or escaped ( indeed some characters cannot ever be quoted are escaped from shell processing ). This means the shell will take meta characters, such as &!, and process them.
     
  3. Luke Carrier

    Luke Carrier Active Member

    Joined:
    May 27, 2009
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Kenneth; doesn't that pave the way to enormous exploits then? If this same issue is present in the cPanel interface and the shell were to parse the ';' character, that would be more than a little concerning, would it not?

    I would seriously like to know just how seriously (or maybe not as the case might be) you guys take security...we've noticed multiple security flaws which could easily have been spotted and fixed if the code was audited before being pushed out the door. I know a lot of other companies have experience of these issues too.

    It also worries me that the fixes can often take ages to be backported from EDGE down to STABLE - not a single one of the release trees is stable, secure and up to date. Then there's the use of outdated, buggy software through EasyApache and the numerous performance enhancements you force us to miss out on by relying on old versions of MySQL, PostgreSQL, PHP and the like. Frustrating.
     
  4. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Wouldn't it be just transferring a hash and not the actual password?
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Actually part of my statement was incorrect. While the password is passed to a shell process, passing it by means of a pipe does not subject the data to processing by the shell.

    My apologies for the mis-information.
     
Loading...

Share This Page