Re: [Full-Disclosure] cPanel check only the first 8 characters of webmail password

From: Evert Daman (linux_at_digipix.org)
Date: 10/21/04

  • Next message: Paul Schmehl: "Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?"
    To: "Andrey Bayora" <andrey@hiddenbit.org>, <full-disclosure@lists.netsys.com>
    Date: Thu, 21 Oct 2004 23:38:51 +0200
    
    

    i had noticed the same thing with the normal login procedure
    at my old isp. i don't know if it has been fixed in newer versions
    of cpanel but i had set my password to <sitename>_666 so it was
    easy to remember... but since my sitename was 8 chars long
    my site was easily taken over by some-one :)

    can some-one check if that has been fixed allready? i had noticed it
    maybe a year ago.

    Evert

    ----- Original Message -----
    From: "Andrey Bayora" <andrey@hiddenbit.org>
    To: <full-disclosure@lists.netsys.com>
    Cc: <bugtraq@securityfocus.com>
    Sent: Thursday, October 21, 2004 6:26 PM
    Subject: [Full-Disclosure] cPanel check only the first 8 characters of
    webmail password

    > cPanel check only the first 8 characters of webmail password.
    >
    > HiddenBit.org Security Advisory.
    >
    > Date: October 21, 2004
    >
    > Software: cPanel 9.4.1-STABLE 65
    >
    > Author: Andrey Bayora
    >
    >
    > BACKGROUND
    >
    > cPanel & WebHost Manager (WHM) is a next generation web hosting control
    > panel system. Both cPanel & WHM are extremely feature rich as well as
    > include an easy to use web based interface (GUI).
    >
    >
    > DESCRIPTION
    >
    > When you set long and "secure" password for your webmail account, cPanel
    > will successfully process you login by using only the first 8
    > characters of your original password. For example: your password =
    > 1234567890#@! - if you enter only 12345678 you'll login successfully.
    >
    > SOLUTION
    >
    > None yet - needs vendor development.
    >
    > WORKAROUND
    >
    > Choose complex password within the 8 characters range.
    >
    > TIMELINE
    >
    > 20.10.2004 Vendor notification by HiddenBit.org
    > 20.10.2004 Vendor responded and published bug at bugzilla.
    >
    > Reference:
    > http://bugzilla.cpanel.net/show_bug.cgi?id=1455
    >
    >
    >
    > **********************************************************
    > HiddenBit.org is non-profit Israel security research team.
    >
    >
    >
    > --------------------------------------------------------------
    > Disclaimer
    >
    > The information within this advisory may change without notice. There
    > are no warranties, implied or express, with regard to this information.
    > In no event shall the author be liable for any direct or indirect
    > damages
    > whatever arising out or in connection with the use or spread of this
    > information. Any use of this information is at the user's own risk.
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Paul Schmehl: "Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?"