Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.
New Topic
cPanel & WHM Feature RequestsTopicAccount Administration
Properties
Category Account Administration
Tags suspension, password, login

Clearly display if the cPanel login was rejected due to invalid user/pass or account suspension

Santiago Gonzalez shared this idea 10 years ago
Needs Review

Hi! some of our clients access cPanel through the servers IP or hostname. When they have their accounts suspended, they put cpanel user/pass and they are given "invalid login" error... Most of them after that error send a ticket to reset their pass. It would be easier if they are notified that the login worked but the account is suspended.

1 I like this idea 0  

Replies (4)

photo
1
Aila 10 years ago

We intentionally limit information returned during login events to prevent information leakage. It's a tradeoff between usability and security. "Invalid login" provides little information. "Account suspended" informs an attacker that he has a legitimate username and password.

photo
1
Santiago Gonzalez 10 years ago

If the attacker has the login info its indiferent wich message he receives. If he/she is trying to guess the lassword CPanel has cphulk to prevent password guessing (brute force)...

photo
1
Aila 9 years ago

The goal here is to not provide an attacker with any information that could assist him in his penetration of the system. For more information on this topic I suggest reading


https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_%28OWASP-AT-002%29

photo
1
Csurgi 9 years ago

Yes, we don't want to provide any information to the attacker, so, we shouldn't let logging in to cPanel, when it's using valid username/password pair. Regardless of whether suspended or not....

Replies have been locked on this page!

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.