WHMReseller 3.20 - usernames and passwords stored in plain text for everyone to see
DESCRIPTION
For every account that is created via WHMReseller, usernames and passwords are logged in plain text to world readable files:
-rw-rw-rw- 1 root root 500 Aug 25 16:17 /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller/scripts/makesubresellerdebug -rw-rw-rw- 1 root root 4736 Aug 25 16:17 /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller/whmrdaemondebug
This is especially bad for this software since access to a reseller account allows anyone to execute commands as root.
IMPACT
Local users could obtain root privileges.