Plain text password on /etc/cyberpanel

[tcaldon]

Hi, I've Just installed Cyberpanel to a new host to test It out for switching from ISPConfig and for testing purposes i've tried to check the /etc folder on Ubuntu 20.04 LTS and under the /cyberpanel folder i see that all of the password are written with plain text.

So if someone broker up on the server they can check all the passwords without any problems.

There Is a way to implement some kind of encryption for the text password?

Edit: version 2.0.4 of cyberpanel that was downloaded automatically with the sh command found on cyberpanel website

[usmannasir]

root@ip-172-31-34-208:~# ls -la /etc/cyberpanel/mysqlPassword 
-rw-r----- 1 root cyberpanel 14 Apr  6 07:25 /etc/cyberpanel/mysqlPassword
root@ip-172-31-34-208:~#

This file is owned by root and only readable by cyberpanel group. Now the thing is if someone have already taken over the server, whats the point of hiding passwords as they are already in control of your server?

[jordanlambrecht]

@usmannasir Just guessing, but other users might reuse passwords. If someone gains access to that plain-text file of passwords, the breach spreads from being contained to cyberpanel to all of your users other platforms where they use the same password. Is there any reason you wouldn’t hash/encrypt it?? This seems like a pretty big security flaw.

[usmannasir]

@jordanlambrecht can you use a hashed password in wp-config.php file?

Or the password is also present in plain text file in the django settings.py

There is no security flaw here, just protect your systems and secure your applications.