Announcement

Collapse
No announcement yet.

There are security flaws in cPanel

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Shining Arcanine
    replied
    They might have fixed the data exposure flaw in their newer releases, but I wonder if they have hashed the passwords in their newer releases.

    Leave a comment:


  • steven s
    replied
    11.15.0-EDGE 17858
    doesn't show anything either.

    Leave a comment:


  • SNN
    replied
    Edit: Nevermind. I see. It's in view file.
    Hmm I would think cPanel would use MD5 or SHA..

    Leave a comment:


  • Shining Arcanine
    replied
    Mine says "11.11.0-STABLE"

    Try using a file with the following text:

    password: $user
    username: $password

    Leave a comment:


  • Chousho
    replied
    What version are you using?

    Mine says
    cPanel Version 11.11.0-STABLE 17997
    I created a dummy file using the variable names you said and it didn't show up.

    Leave a comment:


  • Shining Arcanine
    started a topic There are security flaws in cPanel

    There are security flaws in cPanel

    If you click on Show File in cPanel and the file contains either $user or $password, it will display your user name and password in place of the two variables. Apparently, the file is getting parsed for any variable names that correspond to those in the scope of the script, which are then replaced with the variables' values, prior to being sent to the user.

    This is a minor issue, as you are not getting any information you do not already know, but if there are any variables in the Show File script that contain sensitive information, such as information that can could be used for privilege elevation, it would be explosed to everyone on a given server.

    In addition, this demonstrates that cPanel stores user passwords in plain text, instead of MD5/SHA1 hashing them, which is a security issue in itself, as if someone were to hack into a server, he would be able to steal the passwords for every cPanel account on the server, which most likely correspond to passwords for accounts on other servers.

    I discovered this today, as I happened to open one of my scripts in file manager and I noticed my username and password in the script, even though they are not in the script.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X