CPANEL-40481 - Issue using whmapi1 CLI to reset password
When using WHM API1 via CLI, if the user's password begins with @, your system throws up the following error.
[root@server ~]# whmapi1 --output=jsonpretty passwd user='user' password="@samudra123"
Cpanel::Exception::IO::FileNotFound/(XID zjsfdw) The system cannot find a file named "samudra123".
at /usr/local/cpanel/Cpanel/LoadFile.pm line 73.
Cpanel::LoadFile::_open("samudra123") called at /usr/local/cpanel/Cpanel/LoadFile.pm line 121
Cpanel::LoadFile::_load_r(CODE(0x81f730), "samudra123") called at /usr/local/cpanel/Cpanel/LoadFile.pm line 103
Cpanel::LoadFile::load("samudra123") called at bin/apitool.pl line 221
bin::apitool::_process_one_argument("\@samudra123", 1) called at bin/apitool.pl line 236
bin::apitool::_process_arguments(ARRAY(0x838840), 1) called at bin/apitool.pl line 193
bin::apitool::_whm_parse_args(__CPANEL_HIDDEN__, HASH(0x1dd4df0), __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, ARRAY(0x838840)) called at bin/apitool.pl line 92
bin::apitool::run(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at bin/apitool.pl line 40
Apart from not being able to set the password that begins from @, though it may seems exaggerated, but a well a crafted requested maybe able to exploit other aspects which maybe beyond this functionality
I have not tested it with other password sequences. I believe the input parameters should be character proof of at-least all ASCII characters.
Server's cPanel version is 102.0 (build 11)
Thanks
Kirti Singh
-
Hey there! That's interesting - let me do some testing on my end and confirm. 0 -
Thanks for reporting this - I've created case CPANEL-40481 for our developers to look into this, and I'll be sure to post here once I have more details. 0
Please sign in to leave a comment.
Comments
3 comments