| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Oct 2004 23:38:51 +0200 From: "Evert Daman" <linux@...ipix.org> To: "Andrey Bayora" <andrey@...denbit.org>, <full-disclosure@...ts.netsys.com> Cc: <bugtraq@...urityfocus.com> Subject: Re: cPanel check only the first 8 characters of webmail password i had noticed the same thing with the normal login procedure at my old isp. i don't know if it has been fixed in newer versions of cpanel but i had set my password to <sitename>_666 so it was easy to remember... but since my sitename was 8 chars long my site was easily taken over by some-one :) can some-one check if that has been fixed allready? i had noticed it maybe a year ago. Evert ----- Original Message ----- From: "Andrey Bayora" <andrey@...denbit.org> To: <full-disclosure@...ts.netsys.com> Cc: <bugtraq@...urityfocus.com> Sent: Thursday, October 21, 2004 6:26 PM Subject: [Full-Disclosure] cPanel check only the first 8 characters of webmail password > cPanel check only the first 8 characters of webmail password. > > HiddenBit.org Security Advisory. > > Date: October 21, 2004 > > Software: cPanel 9.4.1-STABLE 65 > > Author: Andrey Bayora > > > BACKGROUND > > cPanel & WebHost Manager (WHM) is a next generation web hosting control > panel system. Both cPanel & WHM are extremely feature rich as well as > include an easy to use web based interface (GUI). > > > DESCRIPTION > > When you set long and "secure" password for your webmail account, cPanel > will successfully process you login by using only the first 8 > characters of your original password. For example: your password = > 1234567890#@! - if you enter only 12345678 you'll login successfully. > > SOLUTION > > None yet - needs vendor development. > > WORKAROUND > > Choose complex password within the 8 characters range. > > TIMELINE > > 20.10.2004 Vendor notification by HiddenBit.org > 20.10.2004 Vendor responded and published bug at bugzilla. > > Reference: > http://bugzilla.cpanel.net/show_bug.cgi?id=1455 > > > > ********************************************************** > HiddenBit.org is non-profit Israel security research team. > > > > -------------------------------------------------------------- > Disclaimer > > The information within this advisory may change without notice. There > are no warranties, implied or express, with regard to this information. > In no event shall the author be liable for any direct or indirect > damages > whatever arising out or in connection with the use or spread of this > information. Any use of this information is at the user's own risk. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists