WHMEZLogin (version unknown) - users can obtain the root password



DESCRIPTION


The purpose of WHMEZLogin is to allow users such as staff to use WHM as root, while not revealing the actual root password to them. However, anyone that is logged into WHM can trivially obtain the plain text password of the user they are logged in as by accessing the "/scripts/quicksupport" URL and viewing the page source.



IMPACT


Users could obtain the root password.


<input type="hidden" name="whmip" value="1.2.3.4">
<input type="hidden" name="sship" value="1.2.3.4">
<input type="hidden" name="sshport" value="5">
<input type="hidden" name="wheeluser" value="root">
<input type="hidden" name="wheelpass" value="/8Sc22rO]pd<)]9L6F7(SsQ~<P;:sfi1z3BxNY73">
<input type="hidden" name="rootpass" value="/8Sc22rO]pd<)]9L6F7(SsQ~<P;:sfi1z3BxNY73">


The vendor stated they would deny access to the quicksupport URL in a future release. Another way to mitigate this to uncheck the "Send the credentials of the logged in user when requesting support from cPanel directly" box from the Tweak Settings area in WHM (deny_quicksupport_password in cpanel.config), although anyone logged in as root could obviously reenable this option.