Re: [Full-Disclosure] cPanel check only the first 8 characters of webmail password
From: Evert Daman (linux_at_digipix.org)
Date: 10/21/04
- Previous message: Georgi Guninski: "Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!"
- In reply to: Andrey Bayora: "[Full-Disclosure] cPanel check only the first 8 characters of webmail password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Andrey Bayora" <andrey@hiddenbit.org>, <full-disclosure@lists.netsys.com> Date: Thu, 21 Oct 2004 23:38:51 +0200
i had noticed the same thing with the normal login procedure
at my old isp. i don't know if it has been fixed in newer versions
of cpanel but i had set my password to <sitename>_666 so it was
easy to remember... but since my sitename was 8 chars long
my site was easily taken over by some-one :)
can some-one check if that has been fixed allready? i had noticed it
maybe a year ago.
Evert
----- Original Message -----
From: "Andrey Bayora" <andrey@hiddenbit.org>
To: <full-disclosure@lists.netsys.com>
Cc: <bugtraq@securityfocus.com>
Sent: Thursday, October 21, 2004 6:26 PM
Subject: [Full-Disclosure] cPanel check only the first 8 characters of
webmail password
> cPanel check only the first 8 characters of webmail password.
>
> HiddenBit.org Security Advisory.
>
> Date: October 21, 2004
>
> Software: cPanel 9.4.1-STABLE 65
>
> Author: Andrey Bayora
>
>
> BACKGROUND
>
> cPanel & WebHost Manager (WHM) is a next generation web hosting control
> panel system. Both cPanel & WHM are extremely feature rich as well as
> include an easy to use web based interface (GUI).
>
>
> DESCRIPTION
>
> When you set long and "secure" password for your webmail account, cPanel
> will successfully process you login by using only the first 8
> characters of your original password. For example: your password =
> 1234567890#@! - if you enter only 12345678 you'll login successfully.
>
> SOLUTION
>
> None yet - needs vendor development.
>
> WORKAROUND
>
> Choose complex password within the 8 characters range.
>
> TIMELINE
>
> 20.10.2004 Vendor notification by HiddenBit.org
> 20.10.2004 Vendor responded and published bug at bugzilla.
>
> Reference:
> http://bugzilla.cpanel.net/show_bug.cgi?id=1455
>
>
>
> **********************************************************
> HiddenBit.org is non-profit Israel security research team.
>
>
>
> --------------------------------------------------------------
> Disclaimer
>
> The information within this advisory may change without notice. There
> are no warranties, implied or express, with regard to this information.
> In no event shall the author be liable for any direct or indirect
> damages
> whatever arising out or in connection with the use or spread of this
> information. Any use of this information is at the user's own risk.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Georgi Guninski: "Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!"
- In reply to: Andrey Bayora: "[Full-Disclosure] cPanel check only the first 8 characters of webmail password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
