WHMCS "Login To Control Panel" function is bypassing Virtualmin 2 Factor Authentication!

2 posts / 0 new
Last post
#1 Sat, 05/25/2019 - 17:28
adamjedgar

WHMCS "Login To Control Panel" function is bypassing Virtualmin 2 Factor Authentication!

If i go into WHMCS>Setup>Servers>Virtualmin Server and click on "Login to Control Panel", whmcs is completely bypassing Virtualmins 2 factor Authentication!

This should not be happening...I have not setup the API key, so WHMCS is only using the root user name and password to login. It should hit the 2 factor authentication wall and stop until that key is entered!

I appreciate that whmcs is using the Virtualmin REMOTE CGI, however, surely 2 factor authentication procedures should still be in effect? What if someone hacks whmcs? They now have the ability to gain full access to my webserver as well by simply clicking on that link inside whmcs?

Anyone else experiencing this issue?

Tue, 05/28/2019 - 18:37
adamjedgar

I have an update to this...it seems that it happens when one changes to a custom port for webmin instead of port 10000.

I have a server that i have set to listen on both ports as a test.

If i attempt to log in using port 10000, i am forced to enter 2 factor authentication code If i login to same system using the custom port...i can just add username and password and leave the two factor authentication field empty and it logs straight in (i tried this on different web browsers so that one cannot affect the other btw) Anyone else experiencing this issue?

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au