The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

passwords transmitted in cleartext to passwordstrength.cgi

Discussion in 'Security' started by soundstripe, Feb 21, 2013.

  1. soundstripe

    soundstripe Registered

    Joined:
    Feb 21, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Was just forced to change my password on a cPanel-managed site.

    Just a security note: if there were a man in the middle or possible HTTP access log, it is possibly that EVERY attempt at a password would be logged. This would give an attacker not only the final password, but also every possible password that you tried until you found one that worked. A goldmine of information.

    Be sure you are on a secure network if you are changing a password with cPanel. I tried to bypass this by pasting in a password but the Javascript in place will not let me change the password without a good password strength and I didn't feel like hacking past that.

    EDIT: I jumped the gun. see below.
     
    #1 soundstripe, Feb 21, 2013
    Last edited: Feb 21, 2013
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If cPanel is forced to use https connection then that should be safe.
     
  3. soundstripe

    soundstripe Registered

    Joined:
    Feb 21, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Ahh. https. Didn't realize that and got freaked out. You are correct. Still seems like the password strength code could go into javascript and not require network traffic at all.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not sure I understand this. You mean that you changed your cPanel password, correct? Or, you changed your password on a site, that's managed with cPanel? Sounds like the former to me, just wanted to clarify.
     
Loading...

Share This Page