Closed jordantrizz closed 6 months ago
You're wasting your time Jordan. I already solved this issue via this PR https://github.com/usmannasir/cyberpanel/pull/877 and it was rejected for being "too confusing" for users...
Here's a good example of a user getting hacked due to using the default password method during install.
Here is a lengthy discussion of it all - the Cyberpanel team is WELL aware of this issue and that VPS servers routinely get hacked within a day when using the default password. I showed how to do it in like 10 seconds.
https://community.cyberpanel.net/t/infected-with-xmrig-virus/34166/12
This has been resolved.
Where's the commit?
@usmannasir I just tried to install Cyberpanel on a new server and the default password is still 1234567. How is this possible? I gave you ALL of the necessary code in #877...
Ugh, I see that you've simply defaulted to selecting random, rather than giving us a choice between random (default) and user specified.
Again, i gave you the code to implement this. Very frustrating
Describe the bug During the installation of Cyberpanel, if you choose the default login details and they're not changed attackers who locate your server can utilize this login to gain root access and take over the server.
This is a huge issue for all vendors that institute this method https://www.bleepingcomputer.com/news/security/cisa-urges-tech-manufacturers-to-stop-using-default-passwords/
To Reproduce Install Cyberpanel on an internet-facing server and use the default password.
Expected behaviour Set randomly generated passwords by default; never allow a default password to be used for any service.
Operating system: All
CyberPanel version: All
Additional context https://www.cisa.gov/news-events/alerts/2013/06/24/risks-default-passwords-internet