The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this a security issue?

Discussion in 'Security' started by BianchiDude, Jul 17, 2006.

  1. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    When copying multiple accounts from another server is display the root password on the from server in the browser in plain text for as long as the copy runs for and also stores it in plain text in
    /usr/local/cpanel/logs/access_log
    I set a cronjob to delete that file every minute.

    Beware if you had any clients that upgraded to a dedicated server and you used the copy multiple accounts function to copy their accounts over.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then log it in bugzilla to bring it to cPanels attention.
     
  3. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    My question is would that be considered a security issue?
     
  4. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    I guess that depends on who you want to know the root password for your server. I doubt everyone wants their dedicated server customers knowing the root password of one of their servers. And what if the dedicated server is compromised? Now other people could get the root password. So, yes, it is a design error that cPanel needs to address. Log a bug report please, and hopefully cPanel will fix this sooner than later.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, checking the log, it's set for only root rw, so you'd need to be logged into the root account to read it anyway, so the risks are minimal. However, as randomuser said, it's a design flaw that should be addressed.
     
Loading...

Share This Page