cPanel’s biggest bug, login with root password

I don’t know whether it is a bug or a feature. However, as this is unexpected, undoubtedly it is bug.

The problem is that, when you try to login to cpanel’s domain owner interface (2082, 2083), if you provide a password that matches root password, it will give you root access even though you did not used root as username.

For example, you have a domain hosted using cpanel, also suppose the username and password is mydomain and xXx123XX respectively. If for some, the root password of this server is same as your password, you will get the root access unwillingly though you were trying to simply login to your control panel.

Yes, anyone can get root access using the combination of root and xXx123XX when desires so. But won’t you surprise when you get such privileges even without knowing? You don’t know that server’s root password and but mere matching of password will give you unlimited access to server.

I hope they will fix it soon.

  • hey man,
    I am very much afraid.
    Looking for the way to avoid this.

  • I have used cPanel. But I have never entered this position. But one time I must have to face this.

    So that thanks for this information. It will help me later. 🙂

  • This feature was introduced since resellers and server administrators wanted an easy way to manage their cPanel users’ accounts without knowing their users’ passwords.

    Logging in with the cPanel user’s username and your reseller (or root) password only gives you access to cPanel accounts, it does not give you any access to SSH or WHM.

    In version 11.25, we introduced the ability to disable this for the root user specifically. To disable this, go to Tweak Settings in WHM and check the checkbox for “Only allow reseller to log in to users’ cPanel interface with reseller password” and click “Save” at the bottom of the page to apply this setting.

    If you do not want this functionality at all, simply go to Tweak Settings and WHM and check the checkbox for the following setting: “Disable login with root or reseller password into the users’ cPanel interface. Also disable switch account dropdown in themes with switch account feature.” Be sure to click “Save” at the bottom of that page to apply this setting.

    However you choose to configure your cPanel/WHM server, it is always recommended to use a root password that is difficult for anyone to guess.

  • C Adams

    I couldn’t understand for the life of me why I couldn’t log into my reseller account – would have never thought having identical passwords was the problem. Then again, I probably shouldn’t have identical passwords for a reseller and root anyway. 😉

    @Grega: Thanks for the tip, that’s good to know it’s something that can be disabled.

  • Penny

    I can’t login “phpMyAdmin” function. it says ” this feature is not available while logged in with root override”
    I didn’t log in my root account…

    please help

  • Hiya!

    Are you the Server Administrator, Reseller, or are you just a cPanel user?