The cPanel/WHM control panel has a significant security flaw where it stores root passwords in plain text when you log in to WHM. This vulnerability poses a high-security risk, as any plugin or app installed within WHM can access your root password and potentially send it to remote servers.
Ideally, WHM should not store any login passwords in sessions or environment variables to prevent password leaks. Unfortunately, cPanel stores these passwords without proper encryption. By default, all cPanel installations store the root login password in plain text in a server environment variable named REMOTE_PASSWORD. As a result, any third-party plugin installed on your WHM control panel can easily access the root password.
Are There Any Solutions?
cPanel offers a setting in WHM’s tweak settings called “Hide login password from CGI scripts,” which displays the environment variable as __HIDDEN__ instead of the actual password. However, you need to enable this setting manually, as it is off by default. Consequently, your root passwords are still stored in the environment variable.
A peculiar aspect of this setting is that if you enable and disable this protection, the password will be visible again. This indicates that cPanel does not delete the login passwords from the store; instead, it retains them.
Testing the Vulnerability
To demonstrate the issue, you can install the following simple WHM plugin to identify the problem. This plugin is open-source and safe to install and check on your server.
Download Test plugin : ( SHA1sum : 7cb2ef460a715a150299f04aeaaf8675403682f4 )
Follow these steps to install the plugin:
# wget https://files.syslint.com/show-my-password.tar.gz
# tar -xzf show-my-password.tar.gz
# cd show-my-password/
# ./install install
After installation, log in to WHM, navigate to Plugins -> Show My Password, and toggle the “hide login password” option in the tweak settings. You will see that the plugin does not effectively hide the password; it merely updates the environment while still storing the password, which you can retrieve at any time.
To uninstall the plugin, run the command:
./install remove
Understanding the Security Risk
You might wonder why this is a significant security risk. The tweak settings are stored in /var/cpanel/cpanel.config, and any WHM plugin can alter this configuration file. This means that even if you disable the hiding of the root password, a malicious WHM plugin could re-enable it and fetch your root password. With hundreds of cPanel plugins available, there’s no telling how many might have access to your root password.
Beware of using cracked Cpanel licenses and other shared licenses. They may already own your server.
So what is the permanent solution?
The solution is Cpanel is not supposed to store the login passwords in any place in any format so that they can be retrieved later. As this problem has been going over there for a long time, we don’t think Cpanel is going to fix this issue.
You are still paying a massive amount of money for your license and this is what you get at the end of the day. So until WHM/Cpanel completely removes these options, there is no other way to prevent this information disclosure.
So the solution is to move to another secured hosting control panel at this time.
Another solution is to remove all third-party plugins from your WHM or Cpanel server. Also, disable the Cpanel analytic reporting feature. So that no external app can have access to your root passwords.