Password visible in cPanel FTP manager

[rikcpanel]

If I go to the cPanel FTP manager, then to "FTP accounts", I'll get a page which says at the end something like "You can download your raw access logs at the following URLs using the loginxxmara_logs and your account password:". My account has 4 links. If I hover one of these links, I see in the status bar of Internet Explorer (example): ftp://xxmara_logs:[email protected]/xxmara.nl, with XYZABC being my password in plain text. Should that really be the case? Does that also happen at other places? If so, why do you have to type in your old password when changing to a new one, the old one can be retrieved in said manner. This looks like a security bug.

Thanks,

Rik

 

[mizzizzippi]

Bump...

Anyone have any ideas on the security issue behind having the control panel SHOW the password of the account when they hover over one of the FTP logs to download it? Anyone with any info?

 

[jayh38]

I dont see a problem in it. That only shows the password of your current session. So whomever got into cpanel to begin with, already knows that information. You only see your own current information. If you log in as root, you will see your root pass. The cpanel client will see his own pass.

 

[fastdns]

You can easily disable this in the WHM tweak.

There is an option : Do not include password in the raw log download link in cPanel (via ftp).

just tick that and FTP manager will not include the password.

FastDNS

 

[jayh38]

You can easily disable this in the WHM tweak.

There is an option : Do not include password in the raw log download link in cPanel (via ftp).

just tick that and FTP manager will not include the password.

FastDNS

That is true, but he is referring to hovering over the download log link which you see the tooltip pop up with the password of the current user session.