The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Vulnerability reported: Is this true?

Discussion in 'General Discussion' started by akhthar, Aug 15, 2005.

  1. akhthar

    akhthar Member

    Joined:
    May 4, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    bangalore
    Hi all,

    I read that there is a big vulnerability with cpanel version 10.4.0-EDGE 254. Let me explain this.

    A remote authenticated user may be able to gain access to other accounts on the system is their account pasword matches with the reseller or root password.

    More details can be found in the following link

    http://securitytracker.com/alerts/2005/Aug/1014633.html

    I ensured that this exploit does not exist in cPanel 10.2 or 10.3 current or stable version. I would like to know if anyone expreienced the same problem.
     
  2. cPanelBilly

    cPanelBilly Guest

    It is correct, in a way.
    If the user has the root password then they can get root access to the server. That is correct for all password authentication.
     
  3. akhthar

    akhthar Member

    Joined:
    May 4, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    bangalore
    Oh! yeah. I knew this, but was confused when I saw the above post. Even I used to login to the user's control panel with the root password. Sorry for posting!

    But I hope this post may clear some people's doubts regarding this.
     
  4. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    This "exploit" basiclly amount to: If you send your customers your root/reseller password they can access the root/reseller account.

    Then again if you send them your root/reseller password, they can ssh to your account.

    You might as well submit a security report that says: If you can guess the password to the account, you can login to it.
     

Share This Page