The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

user password command

Discussion in 'General Discussion' started by oinkmedia, Jan 18, 2004.

  1. oinkmedia

    oinkmedia Well-Known Member

    Jul 5, 2003
    Likes Received:
    Trophy Points:
    SW London (UK)

    Is there a CPANEL API command that I can include within my skin that will display the users password (even if I'm logged in as the owner and not the user!?)

    I know that print $Cpanel::USERDATA{'pass'} returns the password if I'm logged in as the user but I'd like it to show no matter who they are logged in as.

    Any ideas?

    Thanks in advance!
    #1 oinkmedia, Jan 18, 2004
    Last edited: Jan 18, 2004
  2. tizoo

    tizoo Well-Known Member

    Jan 6, 2004
    Likes Received:
    Trophy Points:
    Don't think (hope) it is possible

    Hi !

    I hope that what you're asking for is not possible... Let me explain why :

    If it was possible, it would mean that WHM is storing account passwords somewhere in plain text. This mean that there would be a file somewhere containing all account names with their passwords; something like :
    This is quite insecure : once an attacker has access to this file, he has access to all accounts !

    Usually, when we want to do password authentification, we don't store the password in plaintext, we use a "one way function", a function that is not easily inversible : given $pass, it is easy to compute f($pass), but given f($pass), it is nearly impossible to find $pass.

    A well known "one-way function" is the md5 algorithm. Let's try it in a linux console :

    $ echo "myPassword" | md5sum

    Now, I've got the md5sum of "myPassword", which is "9be2e33ba4fa6d4feb3730482ab3c888"

    The power of md5 is that, given "myPassword", it is really easy to compute md5sum("myPassword") -> it is "9be2e33ba4fa6d4feb3730482ab3c888". However, it is quite unfeasible to find "myPassword" when you just know "9be2e33ba4fa6d4feb3730482ab3c888".

    On any reasonnably secure system (read : even on unsecure systems), the password will not be stored as "myPassword", but as "9be2e33ba4fa6d4feb3730482ab3c888". When someone logs in using "wrongPass", it is quite easy to see that he is not authorized : the md5sum of "wrongPass" is "44e85a59d01be271bd026f2834e0330f" and it doesn't match what is stored in the password file.

    Now, back to your question : As we have seen, it isn't possible to know the password from the md5sum, so (hopefully) it is not possible to know an account password when logged in as the reseller or even as root.

    The only information that (should be) is available to cPanel is the password that is used to authentificate the current logged in user, which is the information that (I suppose) is returned by your function call.

    Note : I'm not a cPanel expert, so I might be wrong when stating that WHM doesn't store passwords as plaintext. I just hope so !

    Hope this helps,
    Best regards,
    Florian Blaser
    TiZoo Sàrl

Share This Page