Jump to content

not show server password in admin cp

ppc

By ppc
in Using WHMCS

 Share

Recommended Posts

ppc Member

ppc

Posted
Posted

I noticed that if you go to configuration > manage servers > edit > then if you scroll down to Server Details the password for the server is filled in(and then you can view it by looking at the source code of that page)

 

Is there anyway to make whmcs to not do that? In most php scripts etc, if there is such a password field it is kept blank and then there is some notice such as if you want to change the password input a new one in this field.

 

I think it would be safer that way.

0
Link to comment
Share on other sites
DataHosts Senior Member

DataHosts

Posted
Posted

I see both sides to this. I like the fact that when a Dedicated Server Client submits a ticket I can instantly get the PW to resolve the issue. However, at the same time I can see using a custom field within the tickets being submitted to have them input the PW if needed.

 

Either way is fine with me...security is my main thing, so, if I had to select...keep it secure as possible.

0
Link to comment
Share on other sites
MACscr Senior Member

MACscr

Posted
Posted
I see both sides to this. I like the fact that when a Dedicated Server Client submits a ticket I can instantly get the PW to resolve the issue. However, at the same time I can see using a custom field within the tickets being submitted to have them input the PW if needed.

 

Either way is fine with me...security is my main thing, so, if I had to select...keep it secure as possible.

 

Were talking about our servers, not clients servers. =P

0
Link to comment
Share on other sites
Steve Senior Member

Steve

Posted
Posted
i agree, definitely needs fixed ASAP.

It's not really urgent, the password is encrypted in the database so if a hacker manages to gain access to your database you're ok. They would have to have access to the WHMCS admin area to view the password, and you have much bigger problems if they do that - even if it WHMCS didn't do this, the hacker could just click the "WHM" button to login to WHM as root and from WHM they could change the root password to whatever they want.

 

Your WHMCS admin area should be SSL encrypted as well, so sending it with the page shouldn't be a problem either. :)

0
Link to comment
Share on other sites
ppc Member

ppc

Posted
  • Author
Posted
i agree, definitely needs fixed ASAP.

It's not really urgent, the password is encrypted in the database so if a hacker manages to gain access to your database you're ok. They would have to have access to the WHMCS admin area to view the password, and you have much bigger problems if they do that - even if it WHMCS didn't do this, the hacker could just click the "WHM" button to login to WHM as root and from WHM they could change the root password to whatever they want.

 

Your WHMCS admin area should be SSL encrypted as well, so sending it with the page shouldn't be a problem either. :)

 

Thats if your using WHM, If your using Plesk, clicking "Plesk" does not log the user into root(and thats better for me.)

 

Yes of course it should be SSL encrypted but in the event that someone gained access to WHMCS I would prefer at least that the server password would not be viewable.

0
Link to comment
Share on other sites
s1rk3ls Senior Member

s1rk3ls

Posted
Posted
Your WHMCS admin area should be SSL encrypted as well, so sending it with the page shouldn't be a problem either.
It was removed back in the first release of V2.5 but everyone complained asking for it to be put back.

 

I agree... Keep your installation secure, your connection to it secure, and the back-end data encrypted - then allow authorized users to see and manipulate the data when needed. The more information you take away from the support personnel the harder it is for them to do their job effectively and efficiently.

 

I've had software before (not related to web hosting) that allowed me to see and manipulate every aspect of my customers confidential data as needed - I stopped using it not because of this, but because the delivery method was insecure. I prefer having as much flexibility and control over my data as possible, but not if it compromises the security of my data (and ultimately my customers)

 

The one thing I miss about my previous billing software that WHMCS does not allow (and for various reasons, which I can/will live with) was the ability to view/change my clients credit card billing details allowing me to manually process a charge for any customer if needed without requesting their card number again or find and correct a typo without having to tell them they'll have to re-enter the card info and try again... it also allowed separate billing address and cvv to be stored, so I could effectively utilize AVS and CVV protection. (which I later found out was not supposed to be allowed - which is a weird catch-22 from the cc companies: Use cvv to prevent fraud but you can't store it so you can't use it)

 

Geez.. I must be in a rambling mood this morning.

 

Read the first paragraph, I think that's the only one relevant to this conversation - read the rest if you're bored :)

 

note to self... lay off the coffee

0
Link to comment
Share on other sites
ppc Member

ppc

Posted
  • Author
Posted

 

I agree... Keep your installation secure, your connection to it secure, and the back-end data encrypted - then allow authorized users to see and manipulate the data when needed. The more information you take away from the support personnel the harder it is for them to do their job effectively and efficiently.

 

 

That makes sense but there is no need for the admin CP password to be filled in already.

0
Link to comment
Share on other sites
  • 1 month later...
  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • WHMCS CEO
Posted

If they've managed to login to your WHMCS administration area, you've got big problems already. I think the benefits of allowing an admin to quickly and easily access a server outweigh the risk caused by someone being able to find your admin username + password. The WHMCS admin area automatically bans any admin users who enter an incorrect password three times so a hacker can't just keep trying different password combinations until they find the correct one to gain access. In the database, the password is obviously encrypted so the security risk is minimal in my opinion.

 

Matt

0
Link to comment
Share on other sites
  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • WHMCS CEO
Posted

Ok, well it will need two file edits, one to the server module file to remove the WHM login button from the overview screen, and then one from the configservers.php file to remove the password showing when you edit its details. They aren't things you can edit so just email me for a custom mod of those.

 

Matt

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept