BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
When copying multiple accounts from another server is display the root password on the from server in the browser in plain text for as long as the copy runs for and also stores it in plain text in
/usr/local/cpanel/logs/access_log
I set a cronjob to delete that file every minute.

Beware if you had any clients that upgraded to a dedicated server and you used the copy multiple accounts function to copy their accounts over.
 

randomuser

Well-Known Member
Jun 25, 2005
147
0
166
I guess that depends on who you want to know the root password for your server. I doubt everyone wants their dedicated server customers knowing the root password of one of their servers. And what if the dedicated server is compromised? Now other people could get the root password. So, yes, it is a design error that cPanel needs to address. Log a bug report please, and hopefully cPanel will fix this sooner than later.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
Well, checking the log, it's set for only root rw, so you'd need to be logged into the root account to read it anyway, so the risks are minimal. However, as randomuser said, it's a design flaw that should be addressed.