The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password Recovery - Email Hint

Discussion in 'Security' started by ottdev, Aug 25, 2016.

  1. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    63
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Maybe this is related to the OP's issue - this just came up...
    Version 56.0/33

    User tells us he tried his old username and a few different passwords, didn't work. "Then I tried to do a password reset but it tells me that the feature is disabled". So I go to his site /cpanel and click the Reset link jusy moments after he said it was disabled - this button click at least works for me and progresses to asking for the email address. But what it gives in the hint is NOT client's email, nor our email, nor any that I recognize (see pic).

    I log into my WHM and check "list accounts" screen to see that his usual email address which I expected is indeed listed there (PHEW) (and only that one address is there). I simply click the Change button there beside his Contact Email. I go back to his /cpanel login page and hit Reset again and now it shows the hint which would correctly represent his email address. He receives the reset message, but he tries the pin and it won't work (I gather from the docs this is by design security-wise because not same computer since I dispatched it). Fair enough I ask him to try the Reset again - it works, he gets into his account.

    WHERE DID THIS ROGUE EMAIL ADDRESS come from ?
    Is it a "dummy" as part of a security block when there's been too many attempts?

    I immediately checked all cpanel user config files - all have correct CONTACTEMAIL values, and none of them resembles that strange address.
    (malheureusement, I didn't check his before clicking Change in WHM)

    I tried reset on another account, it shows the correct email hint for that account. I will try a few more and also try to reproduce by purposefully using a bad login.
     

    Attached Files:

  2. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    63
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    After a few bad logins, I hit Reset and enter a known username (the one I tested previously which showed my the correct hint), now it is giving me another odd email address Hint: p—0@m—.com
    I gather/ (I HOPE) this must be random to throw crackers off the scent?
    The contactemail value is again correct in user config file and in WHM.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @ottdev,

    I've moved this post to it's own thread.

    The hint for the email address will display a random/nonexistent email address if no contact email address is configured for the account. This is to prevent user enumeration, and will also happen if the account doesn't exist.

    Thank you.
     
  4. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    63
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Is a random address also given after too many failed attempts?
    As I said, when reproducing the situation, I checked first and the correct email address was listed in the WHM and in the user's cpanel config file.

    We have found recent hacker activity so we need to know if the random addresses we saw and we reproduced were in fact temporary random to thwart persistent attempts.... or hacker has altered some file with his/her own email address or hacker or some other condition caused the email to be inaccessible by the Reset script ?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To confirm, do you mean an account username that's locked by cPHulk Brute Force Protection? If so, I tested this by locking out an account through cPHulk, and then testing the password reset functionality. The contact email address configured for the cPanel account was displayed in the hint (not the entire address, just the correct hint letters). Thus, you should not see the random address when the account is locked by cPHulk and a valid contact address is configured for the account.

    Thank you.
     
  6. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    63
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    No, cphulk would not have kicked in yet. Does the password reset have its own built in max bad attempts then scrambles the address?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The password reset functionality does include flood protection and puzzle retry protection. This is tracked in the following directory:

    /var/cpanel/passreset/

    However, this should not scramble the hint for the contact email address.

    Thank you.
     
Loading...

Share This Page