Password visible in cPanel FTP manager

rikcpanel

Registered
Sep 19, 2006
1
0
151
If I go to the cPanel FTP manager, then to "FTP accounts", I'll get a page which says at the end something like "You can download your raw access logs at the following URLs using the loginxxmara_logs and your account password:". My account has 4 links. If I hover one of these links, I see in the status bar of Internet Explorer (example): ftp://xxmara_logs:[email protected]/xxmara.nl, with XYZABC being my password in plain text. Should that really be the case? Does that also happen at other places? If so, why do you have to type in your old password when changing to a new one, the old one can be retrieved in said manner. This looks like a security bug.

Thanks,

Rik
 
M

mizzizzippi

Guest
Bump...

Anyone have any ideas on the security issue behind having the control panel SHOW the password of the account when they hover over one of the FTP logs to download it? Anyone with any info?
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
I dont see a problem in it. That only shows the password of your current session. So whomever got into cpanel to begin with, already knows that information. You only see your own current information. If you log in as root, you will see your root pass. The cpanel client will see his own pass.
 

fastdns

Member
Jul 17, 2003
12
0
151
India
You can easily disable this in the WHM tweak.

There is an option : Do not include password in the raw log download link in cPanel (via ftp).

just tick that and FTP manager will not include the password.

FastDNS
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
fastdns said:
You can easily disable this in the WHM tweak.

There is an option : Do not include password in the raw log download link in cPanel (via ftp).

just tick that and FTP manager will not include the password.

FastDNS
That is true, but he is referring to hovering over the download log link which you see the tooltip pop up with the password of the current user session.