WHMReseller 3.20 - usernames and passwords stored in plain text for everyone to see


For every account that is created via WHMReseller, usernames and passwords are logged in plain text to world readable files:

-rw-rw-rw-  1 root root  500 Aug 25 16:17 /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller/scripts/makesubresellerdebug
-rw-rw-rw-  1 root root 4736 Aug 25 16:17 /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller/whmrdaemondebug

This is especially bad for this software since access to a reseller account allows anyone to execute commands as root.


Local users could obtain root privileges.