lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1098376012.4177e34ce3120@www.hiddenbit.org>
Date: Thu, 21 Oct 2004 11:26:52 -0500
From: Andrey Bayora <andrey@...denbit.org>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: cPanel check only the first 8 characters of webmail password


cPanel check only the first 8 characters of webmail password.

HiddenBit.org Security Advisory.

Date: October 21, 2004

Software: cPanel 9.4.1-STABLE 65

Author: Andrey Bayora


BACKGROUND

cPanel & WebHost Manager (WHM) is a next generation web hosting control
panel system. Both cPanel & WHM are extremely feature rich as well as
include an easy to use web based interface (GUI).


DESCRIPTION

When you set long and “secure” password for your webmail account, cPanel
will successfully process you login by using only the first 8
characters of your original password. For example: your password =
1234567890#@!  - if you enter only 12345678 you’ll login successfully.

SOLUTION

None yet – needs vendor development.

WORKAROUND

Choose complex password within the 8 characters range.

TIMELINE

20.10.2004 Vendor notification by HiddenBit.org
20.10.2004 Vendor responded and published bug at bugzilla.

Reference:
http://bugzilla.cpanel.net/show_bug.cgi?id=1455



**********************************************************
HiddenBit.org is non-profit Israel security research team.



--------------------------------------------------------------
Disclaimer

The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
 In no event shall the author be liable for any direct or indirect
damages
whatever arising out or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ