The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security bug in password reset tool?

Discussion in 'Security' started by mtbwacko, Sep 30, 2010.

  1. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    One of my hosting clients received the below reset password email from our server. The only problem is he did not reset his password. The IP of the one who did was in Viet Nam. This is not good! WHM Version 11.26.8. Anyone else experiencing this? Anyone know how to remedy it?

    ====== BEGIN EMAIL ========

    From: "cPanel Password Reset" <cpanel@redacted>
    To: redacted
    Sent: Thursday, September 30, 2010 10:52:11 AM
    Subject: Account Password Reset

    Your Confirmation Code is: z1wlBsVha9T8CIDC

    Please enter it in your browser or use one of the following urls to
    reset your password:

    SSL Reset Link:
    https://redactedURL

    NON-SSL Reset Link:
    http://redactedURL

    Password reset was requested from : 115.75.76.131
    © cPanel, Inc. 2009

    ====== END EMAIL ========
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Password was not reset

    The message you provided does not indicate that the password was actually reset. It only says that a password reset was requested. This option is controlled by Allow cPanel users to reset their password via email in Main >> Server Configuration >> Tweak Settings.

    Again, the e-mail does not say that the password was reset. It only indicates that the option I mentioned above is enabled, and someone did request a password reset. When someone uses this option, an e-mail is sent to the contact e-mail address that is defined for the account, and that is the e-mail you provided in this thread. Unless the person who requests the password reset also has access to that mail account, he/she will not be able to reset the password.
     
  3. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Jared, thanks for the reply. I did understand that the password would not be reset unless one of the links were clicked. However, my concern is that someone can use that tool remotely without being logged in to the account to begin with. This is a problem, especially if it becomes widely used by script kiddies causing the owners of their accounts to get these emails on a regular basis. many of them will click the link out of curiosity, thus resetting their password.

    As for me, I am going to disable this on all of my servers for now, but I hope it's remedied.

    Thanks again,
    Greg
     
  4. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Ok, after talking with Kenneth at cPpanel I realize that this is the tool that is available before logging in to an account. I thought it was coming from the reset tool that was inside the cPanel control panel. I think I'll be disabling it and that will take care of that. Sorry for my confusion on its origins!

    Greg
     
  5. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    It's no problem at all, and I probably could have been more clear in my explanation of the origin of the request. I can certainly see how it would cause some real concern.
     
  6. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Its quite common this, No need to worry as of much, Your client will get the reset email, Even if he did not request it but they cannot do much as they would need access to that email, Even then no password is sent through the emails, More of a click to confirm type of thing.

    I disabled this as most would, People update there passwords on me via WHMCS rather than use the cpanel recovery.
     
Loading...

Share This Page