dedicated server help
web hosting guides
dedicated server home dedicated server forums dedicated server reviews dedicated resources partners dedicated server resources contact dedicated servers

dedicated server guides
Getting Started
General Tutorials
cPanel Tutorials
Security Center
Name Servers
Server Monitoring
Server Backups
Hosting Interviews
Web Hosting News
Reviews
For Fun
Linux Tutorials
Hosting Articles
Web Hosting Tutorials
 
 
 
web hosting tutorials
About Us
RSS Feed
Disclaimer
Site Map

 

cPanel Reset Password Vulnerability

Last Updated: November 30, 1999

- Mar 11, 2004 -

A new 'backdoor' was found in cPanel that would allow malicious users to reboot your server, delete files, and gain unauthorized access. Basically you NEED to fix this or risk getting 'hacked/attacked'. The security issue resides with cPanels new 'request a password' feature for accounts. You can disable this feature as detailed below, and also fix the file that allows the malicious code to be executed. Right now the main issue seen is that anyone can reset any users password, such as *gasp* root.


Step 1




  1.  Login to WHM as root

  2. Click "Tweak Settings"

  3. Scroll down to the bottom
    and UNCHECK

    Allow cPanel users to reset their password
    via email

  4. Click Save

    Step 2



  5. Login to your server via
    SSH as root. (or su to root)

  6. Type: chmod
    600 /usr/local/cpanel/base/resetpass.cgi

  7. Type:
    chattr +i /usr/local/cpanel/base/resetpass.cgi


Done!

cpanel tutorials
cPanel Resources
Dedicated Servers