The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Issue - Email sent from Cpanel

Discussion in 'Security' started by BraveX, Apr 29, 2005.

  1. BraveX

    BraveX Well-Known Member

    Joined:
    Apr 8, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    When I set up a new account, CPanel sends me an email such as the one below. This emails includes the password of the account that was set up. How can I have that password encrypted or removed from the email? I think this is a security risk since it is being sent via plain text over the Internet to me.

    Is there anything else I can also do to make CPanel more secure?

    Thanks in advance.

    --

    +===================================+
    | New Account Info |
    +===================================+
    | Domain: whateverdomain.com
    | Ip: xx.xxx.xxx.xxx.(y)
    | HasCgi: y
    | UserName: myname
    | PassWord: mypassword
    | CpanelMod: x
    | HomeRoot: /home
    | Quota: unlimited Meg
    | NameServer: ns.mydomain.com
    | Contact Email: myemail@mydomain.com
    +===================================+
    Account was setup by: root (root)
     
  2. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    You could modify the wwwacct script which is what sends the email. Simply open the file in vi and remove all lines with "PassWord" in them, I think it will show up three times. For instance:

    root@aviator [~/wwwacct]# more wwwacct.patch
    --- wwwacct.o 2005-04-29 18:40:36.000000000 -0700
    +++ wwwacct 2005-04-29 18:41:03.000000000 -0700
    @@ -730,7 +730,6 @@
    | Ip: \e[1m\e[34m$ip ($useip)\e[0m
    | HasCgi: \e[1m\e[34m$hascgi\e[0m
    | UserName: \e[1m\e[34m$user\e[0m
    -| PassWord: \e[1m\e[34m$pass\e[0m
    | CpanelMod: \e[1m\e[34m$cpmo\e[0m
    | HomeRoot: \e[1m\e[34m$mnt\e[0m
    | Quota: \e[1m\e[34m$sqto Meg\e[0m
    @@ -750,7 +749,6 @@
    | Ip: $ip ($useip)
    | HasCgi: $hascgi
    | UserName: $user
    -| PassWord: $pass
    | CpanelMod: $cpmo
    | HomeRoot: $mnt
    | Quota: $sqto Meg
    @@ -1468,7 +1466,6 @@
    | Ip: $ip ($useip)
    | HasCgi: $hascgi
    | UserName: $user
    -| PassWord: $pass
    | CpanelMod: $cpmo
    | HomeRoot: $mnt
    | Quota: $sqto Meg
     
  3. TCS

    TCS Member

    Joined:
    Mar 12, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    What can you do if cpanel quits sending out these emails?
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Note that under the latest license agreements you are forbidden from modifying files from cPanel. So check the license before making any changes.
     
  5. cPanelBilly

    cPanelBilly Guest

    I assume you are refering to 4) (b) which states
    In there there is an exception that states that you can do modifications to the software provided to you by cpanel. This is allowed under that exception.
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Thanks Billy for the clarification, just didn't want people getting in trouble. ;)
     
  7. riffer

    riffer Member

    Joined:
    Jul 16, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    New account emails to root send passwords in clear text

    It took me almost an hour to dig through all the search terms I used until I tried "email password account remove" and discovered this - the only answer that worked.

    In an age where paraonia is a good thing in regard to security, this seems like a pretty silly thing to NOT have in the WHM settings!

    I know for a while, passwords were there and I would just create the accounts with a password that I would then change immediately after account creation, then there was a time when the passwords weren't being sent in the emails to root (and, I coulda sworn there was once a way to turn the emails off completely - but, not that I can find now).

    Anyway, only one line needs to be removed to prevent these from showing up in emails to root. It is the last of the three sections that contain this type of line.

    On WHM 10.8.0 cPanel 10.8.1-S114 RedHat 9 i686 - WHM X v3.1.0

    It begins with the code starting at line #1207 of the /scripts/wwwacct script.

    Just remove this line:
    | PassWord: $pass

    Be aware that future upgrades of WHM/cPanel will probably overwrite this change and put it back.

    Anyway - thanks!

    And here are some more key words to help others find this lonely post.

    Clear text disable delete change
     
  8. Beansprout

    Beansprout Active Member

    Joined:
    Sep 12, 2005
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    To be honest it's not hard to edit a plain text script and anyone running a cPanel server should know how cPanel works :) (well, the basics at least - check out the /scripts directory on your server :))
     
  9. riffer

    riffer Member

    Joined:
    Jul 16, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Well, sure, it's easy - but silly to not be a security setting - this is definitely a cPanel thing, not a *nix thing and should at least be documented.

    Unfortunately, these types of things are sometimes why I've had to become familiar with the scripts dir - I just haven't reached the point where I had them all memorized.

    Sending passwords in email in clear text is just plain dumb.

    As is using FTP which does the same dang thing....

    Dont' get me wrong, I love cPanel and I think it's a great application - I could never do what I am doing in the amount of time it takes me without it.
     
    #9 riffer, Apr 23, 2006
    Last edited: Apr 23, 2006
  10. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    So that means i cant modify, exim.conf and all those 3rdparty/cpanel files? Thats a bit ridiculous. I think i can modify anything i want on my servers.
     
  11. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    Re-Read the post ABOVE that one... it says you *can*.
     
Loading...

Share This Page