Security Alert: cPanel doesn't require username to log in...
Results 1 to 5 of 5

Thread: Security Alert: cPanel doesn't require username to log in...

  1. #1
    Senior Member
    Join Date
    Dec 2001
    Posts
    884

    Security Alert: cPanel doesn't require username to log in...

    Heya folks,

    I posted this here because I figure a lot of you use cPanel at your own websites. I do myself, so hopefully this is useful information to some of you.

    I got an email yesterday on bugtraq claiming that to log into a cPanel account you do not need a username, only the password. I tried this out on mine, and it seems to be true. I left the username field blank, and only typed my password, and it logged me in just fine.

    I'm not sure that there is an updated version of cPanel out yet to use, but you all should be aware of this, as it makes the breaking in significantly easier for an intruder, especially if (like me) you use a not-so-easily-guessed username.

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    Thanks for the heads up - I just tried it on mine, and it indeed works :/

  3. #3
    Senior Member The Old Man's Avatar
    Join Date
    Aug 2001
    Posts
    364
    thanks Jehnx, a good post. Makes a good case for changing to a more complicated password that might not be so easily sniffed. :-)

  4. #4
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by The Old Man
    thanks Jehnx, a good post. Makes a good case for changing to a more complicated password that might not be so easily sniffed. :-)
    A sniffed password is a sniffed password... it doesn't matter how complicated it is... if it's sniffed.. they have it.. period...

    This is a great reason why cpanel should operating over HTTPS though instead of HTTP... that will prevent it from being easily sniffed... as it would require a MITM attack.

    I've noticed fishy behaviour in the past with cpanel.. I had a reseller account (let's say it was www.reselleraccount.com) and I had client accounts www.clientaccount.com and www.client2account.com)..

    cpanel was accessible on each through domain/cpanel...

    I could go to any of the pages though and log into any of the other cpanel accounts... On occasion I'd give the proper username for one of the domains and the password for another domain (too many passwords = confusion)... and I'd log into the other domain.. So I'd go to www.reselleraccount.com and I enter reseller_username and client2_password and end up in the client2 site..

    Now remember that this is version specific... there've been responses to the Bugtraq post with versions that it doesn't work with and I just tested against 10.8.2-RELEASE 119 and it didn't work, same goes for 10.8.2-EDGE 6. Anyone wishing to see this... You can google "cpanel demo" and find tons of sites with demo accounts.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    mmmm......looks like the developers never looked upon it!!??? Anyway I am amazed!! Once I had to get a new installation of Cpanel jus coz I forgot the username....I had it a looooong and complicated one!! I wish I had this news then!!! POOR ME??
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •