The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Webmail Security Issue?

Discussion in 'Security' started by NT, May 26, 2005.

  1. NT

    NT Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    137
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    Hi All,

    I think I may have found a security issue regarding webmail login. If you type the first 9 characters of the password correctly, you can add more characters to the end of the password and it still logs you in.

    E.G.

    Say my password is abcdefghi, I can add jklmno... to the end of it, and it still logs me in.

    I'm using cPanel version 10.2.0-RELEASE 82.

    Be interesting to see if this happens to anyone else, or if it's already been reported.

    Thanks,
    Nick.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's not uncommon if the passwords are stored using the crypt() module which only reads the first 8 characters of a password.

    If you're concerned about it, log it in bugzilla and email security@cpanel.net
     
  3. NT

    NT Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    137
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    Hi, and thanks for the reply.

    I'm not particularly bothered about it, I was just a bit surprised that cPanel don't use anything a bit more secure.

    Thanks,
    Nick.
     
  4. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    I'm sure if somebody can come up with a better password system which will work on all the platforms and versions of Linux cPanel runs on (and is compatible with all the appropriate software that needs to read those passwords such as cppop system and imap), they'll be willing to listen... But 8/9 characters long is still quite a complex password.
     
Loading...

Share This Page