Full Disclosure mailing list archives
Re: cPanel check only the first 8 characters of webmail password
From: "Evert Daman" <linux () digipix org>
Date: Thu, 21 Oct 2004 23:38:51 +0200
i had noticed the same thing with the normal login procedure at my old isp. i don't know if it has been fixed in newer versions of cpanel but i had set my password to <sitename>_666 so it was easy to remember... but since my sitename was 8 chars long my site was easily taken over by some-one :) can some-one check if that has been fixed allready? i had noticed it maybe a year ago. Evert ----- Original Message ----- From: "Andrey Bayora" <andrey () hiddenbit org> To: <full-disclosure () lists netsys com> Cc: <bugtraq () securityfocus com> Sent: Thursday, October 21, 2004 6:26 PM Subject: [Full-disclosure] cPanel check only the first 8 characters of webmail password
cPanel check only the first 8 characters of webmail password. HiddenBit.org Security Advisory. Date: October 21, 2004 Software: cPanel 9.4.1-STABLE 65 Author: Andrey Bayora BACKGROUND cPanel & WebHost Manager (WHM) is a next generation web hosting control panel system. Both cPanel & WHM are extremely feature rich as well as include an easy to use web based interface (GUI). DESCRIPTION When you set long and "secure" password for your webmail account, cPanel will successfully process you login by using only the first 8 characters of your original password. For example: your password = 1234567890#@! - if you enter only 12345678 you'll login successfully. SOLUTION None yet - needs vendor development. WORKAROUND Choose complex password within the 8 characters range. TIMELINE 20.10.2004 Vendor notification by HiddenBit.org 20.10.2004 Vendor responded and published bug at bugzilla. Reference: http://bugzilla.cpanel.net/show_bug.cgi?id=1455 ********************************************************** HiddenBit.org is non-profit Israel security research team. -------------------------------------------------------------- Disclaimer The information within this advisory may change without notice. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatever arising out or in connection with the use or spread of this information. Any use of this information is at the user's own risk. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- cPanel check only the first 8 characters of webmail password Andrey Bayora (Oct 21)
- Re: cPanel check only the first 8 characters of webmail password Evert Daman (Oct 21)