[CaLViN]

Cpanel recently announced a new vulnerability for their servers for the password reset option.
We'll show you how to turn off the password reset option for failed logins to Cpanel through Web Host Manager.

Description

The feature "Allow cPanel users to reset their password via email",
found in WebHostManager in the "Tweak Settings" section allows for a
cpanel user to run some commands as the root user.

It's strongly suggested that all Cpanel users disable this feature.

Affected Systems

All builds of Cpanel on all platforms are vulnerable up to and including (9.1.0
build 34), all builds after that have been fixed.

Step 1) Fixing The Problem - Disable It

1. Login into you WHM control panel as root.

2. Click on Tweak Settings in the upper left hand corner.


3. Scroll down until you see "Allow cPanel users to reset their password via email"

4. Uncheck the check box and click Save.






Step 2) Fixing The Problem - Update Cpanel

You can also update your Cpanel server to the latest release, which now fixes this issue.

1. Login into you WHM control panel as root.

2. Click on Upgrade to Latest Version on the bottom right hand corner.

Your server is now protected from this exploit!


Thanks to S. Leggett