Re: cPanel check only the first 8 characters of webmail password

["Evert Daman" <linux () digipix org>]

i had noticed the same thing with the normal login procedure
at my old isp. i don't know if it has been fixed in newer versions
of cpanel but i had set my password to <sitename>_666 so it was
easy to remember... but since my sitename was 8 chars long
my site was easily taken over by some-one :)

can some-one check if that has been fixed allready? i had noticed it
maybe a year ago.

Evert


----- Original Message ----- 
From: "Andrey Bayora" <andrey () hiddenbit org>
To: <full-disclosure () lists netsys com>
Cc: <bugtraq () securityfocus com>
Sent: Thursday, October 21, 2004 6:26 PM
Subject: [Full-disclosure] cPanel check only the first 8 characters of
webmail password


> cPanel check only the first 8 characters of webmail password.
>
> HiddenBit.org Security Advisory.
>
> Date: October 21, 2004
>
> Software: cPanel 9.4.1-STABLE 65
>
> Author: Andrey Bayora
>
>
> BACKGROUND
>
> cPanel & WebHost Manager (WHM) is a next generation web hosting control
> panel system. Both cPanel & WHM are extremely feature rich as well as
> include an easy to use web based interface (GUI).
>
>
> DESCRIPTION
>
> When you set long and "secure" password for your webmail account, cPanel
> will successfully process you login by using only the first 8
> characters of your original password. For example: your password =
> 1234567890#@!  - if you enter only 12345678 you'll login successfully.
>
> SOLUTION
>
> None yet - needs vendor development.
>
> WORKAROUND
>
> Choose complex password within the 8 characters range.
>
> TIMELINE
>
> 20.10.2004 Vendor notification by HiddenBit.org
> 20.10.2004 Vendor responded and published bug at bugzilla.
>
> Reference:
> http://bugzilla.cpanel.net/show_bug.cgi?id=1455
>
>
>
> **********************************************************
> HiddenBit.org is non-profit Israel security research team.
>
>
>
> --------------------------------------------------------------
> Disclaimer
>
> The information within this advisory may change without notice. There
> are no warranties, implied or express, with regard to this information.
>  In no event shall the author be liable for any direct or indirect
> damages
> whatever arising out or in connection with the use or spread of this
> information. Any use of this information is at the user's own risk.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html