cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Clearly display if the cPanel login was rejected due to invalid user/pass or account suspension

Santiago Gonzalez shared this idea 7 years ago
Not Planned

Hi! some of our clients access cPanel through the servers IP or hostname. When they have their accounts suspended, they put cpanel user/pass and they are given "invalid login" error... Most of them after that error send a ticket to reset their pass. It would be easier if they are notified that the login worked but the account is suspended.

Replies (4)

photo
1

We intentionally limit information returned during login events to prevent information leakage. It's a tradeoff between usability and security. "Invalid login" provides little information. "Account suspended" informs an attacker that he has a legitimate username and password.

photo
1

If the attacker has the login info its indiferent wich message he receives. If he/she is trying to guess the lassword CPanel has cphulk to prevent password guessing (brute force)...

photo
1

The goal here is to not provide an attacker with any information that could assist him in his penetration of the system. For more information on this topic I suggest reading


https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_%28OWASP-AT-002%29

photo
1

Yes, we don't want to provide any information to the attacker, so, we shouldn't let logging in to cPanel, when it's using valid username/password pair. Regardless of whether suspended or not....

Replies have been locked on this page!