Security bug in password reset tool?

[mtbwacko]

One of my hosting clients received the below reset password email from our server. The only problem is he did not reset his password. The IP of the one who did was in Viet Nam. This is not good! WHM Version 11.26.8. Anyone else experiencing this? Anyone know how to remedy it?

====== BEGIN EMAIL ========

From: "cPanel Password Reset" <[email protected]>
To: redacted
Sent: Thursday, September 30, 2010 10:52:11 AM
Subject: Account Password Reset

Your Confirmation Code is: z1wlBsVha9T8CIDC

Please enter it in your browser or use one of the following urls to
reset your password:

SSL Reset Link:
https://redactedURL

NON-SSL Reset Link:
http://redactedURL

Password reset was requested from : 115.75.76.131
© cPanel, Inc. 2009

====== END EMAIL ========

 

[JaredR.]

Password was not reset

The message you provided does not indicate that the password was actually reset. It only says that a password reset was requested. This option is controlled by Allow cPanel users to reset their password via email in Main >> Server Configuration >> Tweak Settings.

Again, the e-mail does not say that the password was reset. It only indicates that the option I mentioned above is enabled, and someone did request a password reset. When someone uses this option, an e-mail is sent to the contact e-mail address that is defined for the account, and that is the e-mail you provided in this thread. Unless the person who requests the password reset also has access to that mail account, he/she will not be able to reset the password.

 

[mtbwacko]

Jared, thanks for the reply. I did understand that the password would not be reset unless one of the links were clicked. However, my concern is that someone can use that tool remotely without being logged in to the account to begin with. This is a problem, especially if it becomes widely used by script kiddies causing the owners of their accounts to get these emails on a regular basis. many of them will click the link out of curiosity, thus resetting their password.

As for me, I am going to disable this on all of my servers for now, but I hope it's remedied.

Thanks again,
Greg

 

[mtbwacko]

Ok, after talking with Kenneth at cPpanel I realize that this is the tool that is available before logging in to an account. I thought it was coming from the reset tool that was inside the cPanel control panel. I think I'll be disabling it and that will take care of that. Sorry for my confusion on its origins!

Greg

 

[JaredR.]

Ok, after talking with Kenneth at cPpanel I realize that this is the tool that is available before logging in to an account. I thought it was coming from the reset tool that was inside the cPanel control panel. I think I'll be disabling it and that will take care of that. Sorry for my confusion on its origins!

It's no problem at all, and I probably could have been more clear in my explanation of the origin of the request. I can certainly see how it would cause some real concern.

 

[GaryT]

Its quite common this, No need to worry as of much, Your client will get the reset email, Even if he did not request it but they cannot do much as they would need access to that email, Even then no password is sent through the emails, More of a click to confirm type of thing.

I disabled this as most would, People update there passwords on me via WHMCS rather than use the cpanel recovery.