The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password vulnerability?

Discussion in 'General Discussion' started by kcdworks, Aug 6, 2003.

  1. kcdworks

    kcdworks Well-Known Member

    Joined:
    Jul 28, 2002
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    I just got done sifting through this thread:

    http://www.webhostingtalk.com/showthread.php?s=&threadid=171601

    One of the people in it claims to be able to find passwords for CPanel servers. I tried PMing him for details, but met no response.

    Has anyone heard of a password vulnerability? Maybe Nick should get in touch with this guy and see if he will show him what he is exploiting to get the passwords?

    cPanel.net Support Ticket Number:
     
  2. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Weird. This ToastyX seems haughty, and rather a jerk if he says this is there, yet doesn't propose a solution (if it is AN actual exploit).

    The hosters there didn't answer in the affirmative if it was truly the password or not. You know..

    Brenden

    cPanel.net Support Ticket Number:
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Re: Re: Password vulnerability?

    Could that be because they fell off their chair, and hit their head which resulted in a coma, when they saw toastyx actually posted their password? :)

    update: one of them posted in the affirmative...
     
    #3 jamesbond, Aug 6, 2003
    Last edited: Aug 6, 2003
  4. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Re: Re: Re: Password vulnerability?

    Ok let's see..

    Now why wasn't Nick told privately about this problem till now? Hmm?

    cPanel.net Support Ticket Number:
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Re: Re: Re: Re: Password vulnerability?

    Yeah, very strange that this ToastyX guy doesn't contact Nick about this.
    Maybe he has though, we don't know that.

    cPanel.net Support Ticket Number:
     
  6. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Re: Re: Re: Re: Re: Password vulnerability?

    True.

    This guy hasn't said that either so we will see.

    cPanel.net Support Ticket Number:
     
  7. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    I'd like to see some official word on this. This is extremely serious.

    cPanel.net Support Ticket Number:
     
  8. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    Nick reply to a ticket for this problem:
    cPanel.net Support Ticket Number:
     
  9. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    Glad to see that.

    Apparently this person is able to do this, but I'm at a loss as to how myself. :(

    cPanel.net Support Ticket Number:
     
  10. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    Since both the users that toastyX did that to have live Cpanel demos on their site, that's a great place to start looking.

    I'd assume there is something in there that will let you grab /etc/passwd. From there, a quick run through JTR will get you weak passes in a few minutes.

    cPanel.net Support Ticket Number:
     
  11. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Nick replied to me about my demo suspicions, (that I emailed him) and he had replied that he locked down the demos in the latest edge release and that he thought the suspect was the weak security model of Frontpage...

    All FYI.

    His exact words:

    "We've locked down cPanel demos in the latest edge release. He is probably exploiting the horrid security model that frontpage uses. Webroot protection+phpsuexec will prevent you from getting another user's password via frontpage."

    Looks like I gotta go add PHPSuexec now.. I don't like frontpage being exploited like this.

    Brenden

    cPanel.net Support Ticket Number:
     
  12. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    So, the only fix for this is to do the following:

    1) Run an experimental untested chrooted apache that is still being worked on.

    2) Run PHP as a CGI.

    or

    3) Get rid of Front Page??

    Isn't there something else we could do here? I've got the webroot thing running on a test box, but I'm not ready to put that on a production machine yet. I'm also not really itching to install phpsuexec on existing, full, servers.

    Also, if this is a FP vuln, does it not affect other control panels as well? Has this been reported to the vendor?

    cPanel.net Support Ticket Number:
     
  13. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    If only I could I would :D

    I don't use demoaccounts on my servers.

    And still, if customers want to use FP, they should accept the fact that they are using an insecure product.

    cPanel.net Support Ticket Number:
     
  14. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    But if they are insecure, YOU are insecure.

    If it's that easy to get a user's password, then it's that easy to have full access to their Cpanel. If you have access to Cpanel, you can get root.

    Therefore, it's not THEIR problem, it's YOUR problem.

    cPanel.net Support Ticket Number:
     
  15. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    You need to have a demoaccount enabled + fp extensions installed.

    And still have to crack the password ofcourse. If the customers use a dictionary password then it won't take long to crack, if they use a difficult password it will take a long time before it's cracked.

    It's not true that access to CPanel means you can get root, now that would be a serious issue.

    cPanel.net Support Ticket Number:
     
  16. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    Where was it said that you needed a demo account AND front page extensions?

    Can you point that out, because I didn't see it?

    Okay, let's just put root aside for a sec...

    You really trying to tell me that if people's account passwords are available to any Tom Dick or Harry, that it doesn't affect the overall security of your machine?

    It's really just your customer's problem?

    cPanel.net Support Ticket Number:
     
  17. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    Hey Brenden .... did Nick say that what you quoted ther or is that from another post? I still haven't heard one way or the other on this either.

    cPanel.net Support Ticket Number:
     
  18. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Sigh..I am not trying to tell you anything...
    Ofcourse it affects the overall security indirectly.

    I am just saying that microsoft won't consider this a vulnerability. They will tell you that you shouldn't offer people access to your server through those demo accounts or insecure scripts in the first place.

    Now the demoaccount problem (just disable them) is easily solved, the insecure scripts problem can only be solved to a certain extent.

    And besides that if they can get to the fp password file, then the smarter ones might be able to get to /etc/passwd as well, which has nothing to do with fp.

    cPanel.net Support Ticket Number:
     
  19. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    Wed Aug 6 18:52:56 EDT 2003
    7.x Build#13
    ---------------------------------------------------------------

    make demo mode more secure
    ---------------------------------------------------------------

    Wed Aug 6 19:01:11 EDT 2003
    7.x Build#14
    ---------------------------------------------------------------

    lock down demo mode some more
    ---------------------------------------------------------------


    --

    Yes there was a possible way to obtain a users password through a demo account, however you did have to have frontpage extensions installed on the demo account.

    The above changes have locked down the demo account extensively, as you'll see if you're running 7.4-14E or later

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  20. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    LOL @ indirectly.

    Anyways...where's it say this about demo accounts AND front page??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    in fact, what I got from that quote was that it was NOT the demo account at all, but Front Page alone.

    Still waiting to hear on that one...

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page