[CPANEL-18704] An Indirect Way to Change cPanel Passwords

ciao70

• October 09, 2019 13:18

Hello, I report this security article to Sucuri There"s no doubt that the ubiquitous "forgot your password?" feature has helped many users who"ve misplaced their password or otherwise forgotten it, however"the tradeoff is that it can result in bugs that help bad actors. As demonstrated in this article, an attacker can use cPanel"s "forgot your password?" feature to reset a user password and obtain further access to an already compromised website. Replicate this issue on the latest version of cPanel (v82.0.16)

• 

  cPanelLauren

  • October 10, 2019 19:59

  Hello, We are aware of this and have CPANEL-18704 open for this issue. Changes to the way that this information is stored are in progress, unfortunately, the change is substantial. There's also the feature request here:

  0
• 

  imorandin

  • May 26, 2020 16:17

  Hi, any ETA on CPANEL-18704? is it live?

  0
• 

  cPanelLauren

  • May 28, 2020 22:23

  Hello, The epic associated with this has several cases attached and while a lot of them are complete the epic itself is not yet resolved in v88 it looks like it is in v90 of cPanel & WHM though.

  0

Please sign in to leave a comment.