Closed jordantrizz closed 6 months ago
nickchomey
commented
6 months ago You're wasting your time Jordan. I already solved this issue via this PR https://github.com/usmannasir/cyberpanel/pull/877 and it was rejected for being "too confusing" for users...
jordantrizz
commented
6 months ago Here's a good example of a user getting hacked due to using the default password method during install.
nickchomey
commented
6 months ago Here is a lengthy discussion of it all - the Cyberpanel team is WELL aware of this issue and that VPS servers routinely get hacked within a day when using the default password. I showed how to do it in like 10 seconds.
https://community.cyberpanel.net/t/infected-with-xmrig-virus/34166/12
usmannasir
commented
6 months ago This has been resolved.
jordantrizz
commented
6 months ago Where's the commit?
nickchomey
commented
5 months ago @usmannasir I just tried to install Cyberpanel on a new server and the default password is still 1234567. How is this possible? I gave you ALL of the necessary code in #877...
nickchomey
commented
5 months ago Ugh, I see that you've simply defaulted to selecting random, rather than giving us a choice between random (default) and user specified.
Again, i gave you the code to implement this. Very frustrating
Describe the bug During the installation of Cyberpanel, if you choose the default login details and they're not changed attackers who locate your server can utilize this login to gain root access and take over the server.
This is a huge issue for all vendors that institute this method https://www.bleepingcomputer.com/news/security/cisa-urges-tech-manufacturers-to-stop-using-default-passwords/
To Reproduce Install Cyberpanel on an internet-facing server and use the default password.
Expected behaviour Set randomly generated passwords by default; never allow a default password to be used for any service.
Operating system: All
CyberPanel version: All
Additional context https://www.cisa.gov/news-events/alerts/2013/06/24/risks-default-passwords-internet