Bluehost cPanel Login Insecure!

**Epon** · 12-30-2008, 08:06 AM

So I was mucking about in the cPanel the other day and entered the "Edit Contact Details" area. After messing around with my settings, I hit the Bluehost logo up in the top-left, which brought me back to the home page.

When I re-entered my username and password, I saw something that caught my attention...

http://img168.imageshack.us/img168/1835/wtful2.png

What the hell is this garbage, Bluehost? I'm not sure if any of you guys actually coded the login aspect of the website, but this is garbage. You should be ashamed that you're passing login information in the clear like that.

Everyone, be advised.

(I've edited the screenshot to obviously not show my password and domain, but I can reproduce this crap over and over again if need be)

**Early Out** · 12-30-2008, 08:16 AM

Who is "you guys?" This is a user-to-user forum, not a BH support site. BH employees occasionally wander in, but rarely.

You'll also find that if you access cPanel by any of the following methods, it's secure:

Go to http://www.bluehost.com instead of http://bluehost.com
Go to http://yourdomain.com/securecontrolpanel (use your own domain)
Go to https://box61.bluehost.com:2083/fron...ost/index.html (use your own box#)

**Epon** · 12-30-2008, 08:22 AM

Ok, then consider this a message to alert the masses, my mistake.

Regardless, it's an issue that should be addressed.

**Early Out** · 12-30-2008, 08:23 AM

See my edited reply - it has been addressed. There's still one insecure path, but that's the result of some redirection to allow for both "www" and no "www" addresses, and you're not required to use it.

**Epon** · 12-30-2008, 08:27 AM

Understand that I'm not attacking anyone on this forum personally, it's just sloppy coding, though.

Thank you though for showing me the alternative links, though.

**PinionWorks** · 12-30-2008, 11:03 PM

I was surprised to see that BH doesn't use SSL/TLS to secure the login to cPanel. Not that I plan on doing anything about it, and I know no one here is in a position to fix it. I just thought it odd that they leave full account access of a paid customer open like that.

**Early Out** · 12-30-2008, 11:15 PM

As pointed out, there is a fully secure way to access the Control Panel (the http://yourdomain.com/securecontrolpanel path). This is something that people spend a lot of time fretting about, but which has not proven to be a genuine problem. Accounts that get hacked don't get hacked because of the lack of SSL on the cPanel login. They get hacked because of the massive security holes in the scripts that people run on their sites.

**neil.e.bartlett** · 12-31-2008, 08:52 AM

As pointed out, there is a fully secure way to access the Control Panel (the http://yourdomain.com/securecontrolpanel path).

Cool ! I didn't know that. That's what I'm looking for (just joined the forum today) - so thanks.

BTW Did you read the stuff on slashdot

http://it.slashdot.org/article.pl?sid=08/12/23/0046258

regarding Comodo (I believe this is the BlueHost SLL certificate authority)?

**Early Out** · 12-31-2008, 09:02 AM

This one is actually in the BH knowledgebase: http://helpdesk.bluehost.com/kb/inde...od_id=2&id=185

That's not always true - there are a lot of things that aren't well-advertised, and can be tough to hunt down!

**neil.e.bartlett** · 12-31-2008, 09:07 AM

http://yourdomain.com/securecontrolpanel

Just tried that in

Chrome
IE7
Firefox 3.0.4

All responded with a 'Invalid Security Exception'

Seems BlueHost is itself not Comodo-certified but is running self-certified so it is it's own trusted root. Still makes me happier -- as based on my previous post I was concerned about Comodo!

Neil

Thread: Bluehost cPanel Login Insecure!

Thread Tools

Display

Bluehost cPanel Login Insecure!

securecontrolpanel

Self-certified

Tags for this Thread

Posting Permissions