WHMReseller 3.20 - usernames and passwords stored in plain text for everyone to see



DESCRIPTION


For every account that is created via WHMReseller, usernames and passwords are logged in plain text to world readable files:

-rw-rw-rw-  1 root root  500 Aug 25 16:17 /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller/scripts/makesubresellerdebug
-rw-rw-rw-  1 root root 4736 Aug 25 16:17 /usr/local/cpanel/whostmgr/docroot/cgi/whmreseller/whmrdaemondebug

This is especially bad for this software since access to a reseller account allows anyone to execute commands as root.



IMPACT


Local users could obtain root privileges.