Is this a security issue?

[BianchiDude]

When copying multiple accounts from another server is display the root password on the from server in the browser in plain text for as long as the copy runs for and also stores it in plain text in
/usr/local/cpanel/logs/access_log
I set a cronjob to delete that file every minute.

Beware if you had any clients that upgraded to a dedicated server and you used the copy multiple accounts function to copy their accounts over.

 

[chirpy]

Then log it in bugzilla to bring it to cPanels attention.

 

[BianchiDude]

My question is would that be considered a security issue?

 

[randomuser]

I guess that depends on who you want to know the root password for your server. I doubt everyone wants their dedicated server customers knowing the root password of one of their servers. And what if the dedicated server is compromised? Now other people could get the root password. So, yes, it is a design error that cPanel needs to address. Log a bug report please, and hopefully cPanel will fix this sooner than later.

 

[chirpy]

Well, checking the log, it's set for only root rw, so you'd need to be logged into the root account to read it anyway, so the risks are minimal. However, as randomuser said, it's a design flaw that should be addressed.