lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002401c4b7b6$5b31fcb0$0100a8c0@beneden>
From: linux at digipix.org (Evert Daman)
Subject: cPanel check only the first 8 characters of webmail password

i had noticed the same thing with the normal login procedure
at my old isp. i don't know if it has been fixed in newer versions
of cpanel but i had set my password to <sitename>_666 so it was
easy to remember... but since my sitename was 8 chars long
my site was easily taken over by some-one :)

can some-one check if that has been fixed allready? i had noticed it
maybe a year ago.

Evert


----- Original Message ----- 
From: "Andrey Bayora" <andrey@...denbit.org>
To: <full-disclosure@...ts.netsys.com>
Cc: <bugtraq@...urityfocus.com>
Sent: Thursday, October 21, 2004 6:26 PM
Subject: [Full-Disclosure] cPanel check only the first 8 characters of
webmail password


> cPanel check only the first 8 characters of webmail password.
>
> HiddenBit.org Security Advisory.
>
> Date: October 21, 2004
>
> Software: cPanel 9.4.1-STABLE 65
>
> Author: Andrey Bayora
>
>
> BACKGROUND
>
> cPanel & WebHost Manager (WHM) is a next generation web hosting control
> panel system. Both cPanel & WHM are extremely feature rich as well as
> include an easy to use web based interface (GUI).
>
>
> DESCRIPTION
>
> When you set long and "secure" password for your webmail account, cPanel
> will successfully process you login by using only the first 8
> characters of your original password. For example: your password =
> 1234567890#@!  - if you enter only 12345678 you'll login successfully.
>
> SOLUTION
>
> None yet - needs vendor development.
>
> WORKAROUND
>
> Choose complex password within the 8 characters range.
>
> TIMELINE
>
> 20.10.2004 Vendor notification by HiddenBit.org
> 20.10.2004 Vendor responded and published bug at bugzilla.
>
> Reference:
> http://bugzilla.cpanel.net/show_bug.cgi?id=1455
>
>
>
> **********************************************************
> HiddenBit.org is non-profit Israel security research team.
>
>
>
> --------------------------------------------------------------
> Disclaimer
>
> The information within this advisory may change without notice. There
> are no warranties, implied or express, with regard to this information.
>  In no event shall the author be liable for any direct or indirect
> damages
> whatever arising out or in connection with the use or spread of this
> information. Any use of this information is at the user's own risk.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ