The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password visible in cPanel FTP manager

Discussion in 'General Discussion' started by rikcpanel, Sep 19, 2006.

  1. rikcpanel

    rikcpanel Registered

    Joined:
    Sep 19, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    If I go to the cPanel FTP manager, then to "FTP accounts", I'll get a page which says at the end something like "You can download your raw access logs at the following URLs using the loginxxmara_logs and your account password:". My account has 4 links. If I hover one of these links, I see in the status bar of Internet Explorer (example): ftp://xxmara_logs:XYZABC@ftp.xxmara.nl/xxmara.nl, with XYZABC being my password in plain text. Should that really be the case? Does that also happen at other places? If so, why do you have to type in your old password when changing to a new one, the old one can be retrieved in said manner. This looks like a security bug.

    Thanks,

    Rik
     
  2. mizzizzippi

    mizzizzippi Guest

    Bump...

    Anyone have any ideas on the security issue behind having the control panel SHOW the password of the account when they hover over one of the FTP logs to download it? Anyone with any info?
     
  3. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    I dont see a problem in it. That only shows the password of your current session. So whomever got into cpanel to begin with, already knows that information. You only see your own current information. If you log in as root, you will see your root pass. The cpanel client will see his own pass.
     
  4. fastdns

    fastdns Member

    Joined:
    Jul 17, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    You can easily disable this in the WHM tweak.

    There is an option : Do not include password in the raw log download link in cPanel (via ftp).

    just tick that and FTP manager will not include the password.

    FastDNS
     
  5. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    That is true, but he is referring to hovering over the download log link which you see the tooltip pop up with the password of the current user session.
     
Loading...

Share This Page