No announcement yet.

There are security flaws in cPanel

  • Filter
  • Time
  • Show
Clear All
new posts

  • There are security flaws in cPanel

    If you click on Show File in cPanel and the file contains either $user or $password, it will display your user name and password in place of the two variables. Apparently, the file is getting parsed for any variable names that correspond to those in the scope of the script, which are then replaced with the variables' values, prior to being sent to the user.

    This is a minor issue, as you are not getting any information you do not already know, but if there are any variables in the Show File script that contain sensitive information, such as information that can could be used for privilege elevation, it would be explosed to everyone on a given server.

    In addition, this demonstrates that cPanel stores user passwords in plain text, instead of MD5/SHA1 hashing them, which is a security issue in itself, as if someone were to hack into a server, he would be able to steal the passwords for every cPanel account on the server, which most likely correspond to passwords for accounts on other servers.

    I discovered this today, as I happened to open one of my scripts in file manager and I noticed my username and password in the script, even though they are not in the script.

  • #2
    What version are you using?

    Mine says
    cPanel Version 11.11.0-STABLE 17997
    I created a dummy file using the variable names you said and it didn't show up.


    • #3
      Mine says "11.11.0-STABLE"

      Try using a file with the following text:

      password: $user
      username: $password


      • #4
        Edit: Nevermind. I see. It's in view file.
        Hmm I would think cPanel would use MD5 or SHA..


        • #5
          11.15.0-EDGE 17858
          doesn't show anything either.
 (vB3.8) | (vB4.2)
          "I tried to clean this up but this thread is beyond redemption." - Steve Machol


          • #6
            They might have fixed the data exposure flaw in their newer releases, but I wonder if they have hashed the passwords in their newer releases.


            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.