The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Why is this done?

Discussion in 'General Discussion' started by volcano, Apr 12, 2004.

  1. volcano

    volcano Member

    Joined:
    Jul 8, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Sorry if this has been posted elsewhere before..Search returned nothing.

    I was just browsing throug hmy CPanel control panel when I went into the "FTP Account Maintenance" section.

    To my shock, my clear text password is in the URL that links to the FTP download of the logfiles!

    ftp://myaccount_logs:password@ftp.myserver/myserver.com

    Will this be changed in the future?
     
  2. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    When using standard FTP, your password is transmitted in plain text. You need to know your password to login to your cpanel right? So what is the big deal?

    I agree that uname:pw combinations should not be sent via URL links under any circumstances and I understand your concern that your password is "on display" for anyone that might be walking by, but FTP is a security issue anyway you slice it.
     
  3. jandafields

    jandafields Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    426
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    But, according to cpanel, all our passwords are stored as a 1-way hash, so how does cpanel know our password? It must be stored as plain-text on the server!!! This is VERY BAD :mad:
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    n/m
     
  5. jandafields

    jandafields Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    426
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    With the password being embedded into the links, that causes the password to be saved in the Internet Explorer history. This is different than sniffing the password when you type it in...
     
  6. jandafields

    jandafields Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    426
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    That is only if you click on File -> Login As...

    CPanel is embedding it into the url, which is added to the history.
     
  7. jandafields

    jandafields Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    426
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    That's exactly what I have been talking about...
     
  8. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    I thought IE was no longer supporting that method.
     
  9. jandafields

    jandafields Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    426
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Actually, I read that earlier today somewhere (IE not allowing that syntax anymore). Another good reason to get rid of the password in the links (just let IE prompt you for it)...
     
  10. bouncer

    bouncer Member

    Joined:
    Nov 1, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    :) Just another reason why you should log in to cpanel using the secure connection
     
  11. rockstar

    rockstar Member

    Joined:
    Jan 24, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Planet Earth
    Why not use a free piece of software that is more reliable than Microshaft? FileZilla is free, works like a champ and is a hell of a lot more stable than the crap that MS puts out there.
     
Loading...

Share This Page