cPanel check only the first 8 characters of webmail password

[Andrey Bayora <andrey () hiddenbit org>]

cPanel check only the first 8 characters of webmail password.

HiddenBit.org Security Advisory.

Date: October 21, 2004

Software: cPanel 9.4.1-STABLE 65

Author: Andrey Bayora


BACKGROUND

cPanel & WebHost Manager (WHM) is a next generation web hosting control
panel system. Both cPanel & WHM are extremely feature rich as well as
include an easy to use web based interface (GUI).


DESCRIPTION

When you set long and “secure” password for your webmail account, cPanel
will successfully process you login by using only the first 8
characters of your original password. For example: your password =
1234567890#@!  - if you enter only 12345678 you’ll login successfully.

SOLUTION

None yet – needs vendor development.

WORKAROUND

Choose complex password within the 8 characters range.

TIMELINE

20.10.2004 Vendor notification by HiddenBit.org
20.10.2004 Vendor responded and published bug at bugzilla.

Reference:
http://bugzilla.cpanel.net/show_bug.cgi?id=1455



**********************************************************
HiddenBit.org is non-profit Israel security research team.



--------------------------------------------------------------
Disclaimer

The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
 In no event shall the author be liable for any direct or indirect
damages
whatever arising out or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html