Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: cPanel check only the first 8 characters of webmail password
From: "Evert Daman" <linux () digipix org>
Date: Thu, 21 Oct 2004 23:38:51 +0200


i had noticed the same thing with the normal login procedure
at my old isp. i don't know if it has been fixed in newer versions
of cpanel but i had set my password to <sitename>_666 so it was
easy to remember... but since my sitename was 8 chars long
my site was easily taken over by some-one :)

can some-one check if that has been fixed allready? i had noticed it
maybe a year ago.

Evert


----- Original Message ----- 
From: "Andrey Bayora" <andrey () hiddenbit org>
To: <full-disclosure () lists netsys com>
Cc: <bugtraq () securityfocus com>
Sent: Thursday, October 21, 2004 6:26 PM
Subject: [Full-disclosure] cPanel check only the first 8 characters of
webmail password


cPanel check only the first 8 characters of webmail password.

HiddenBit.org Security Advisory.

Date: October 21, 2004

Software: cPanel 9.4.1-STABLE 65

Author: Andrey Bayora


BACKGROUND

cPanel & WebHost Manager (WHM) is a next generation web hosting control
panel system. Both cPanel & WHM are extremely feature rich as well as
include an easy to use web based interface (GUI).


DESCRIPTION

When you set long and "secure" password for your webmail account, cPanel
will successfully process you login by using only the first 8
characters of your original password. For example: your password =
1234567890# () !  - if you enter only 12345678 you'll login successfully.

SOLUTION

None yet - needs vendor development.

WORKAROUND

Choose complex password within the 8 characters range.

TIMELINE

20.10.2004 Vendor notification by HiddenBit.org
20.10.2004 Vendor responded and published bug at bugzilla.

Reference:
http://bugzilla.cpanel.net/show_bug.cgi?id=1455



**********************************************************
HiddenBit.org is non-profit Israel security research team.



--------------------------------------------------------------
Disclaimer

The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
 In no event shall the author be liable for any direct or indirect
damages
whatever arising out or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault