| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: appelast at drumnbass.art.pl (Karol Więsek) Subject: cPanel hardlink chown issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Name: cPanel Vendor URL: http://www.cpanel.net Author: Karol Wi?sek <appelast@...mnbass.art.pl> Date: July 31, 2004 Issue: cPanel allows logged in users to change ownership of any file to their uid:gid. Description: cPanel is a next generation web hosting control panel system. cPanel is extremely feature rich as well as include an easy to use web based interface (GUI). cPanel is designed for the end users of your system and allows them to control everything from adding / removing email accounts to administering MySQL databases. Details: cPanel allows users to turn on/off front fage extensions. It is done with effective uid of system administrator ( root ). During this process is created special .htaccess file, and then it is chown() to target user. Attacker could link .htaccess to any file in the same partition, thus it will be chown()ed. Exploit: To exploit this vulnerability just link file you want to grab to .htaccess in users public_html, and execute installation of frontpage extensions. Tested on cPanel 9.4.1-RELEASE-64, and confirmed vulnerable. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBc5IGFTSet8AbQUQRAnZFAJsHuMk3cizlBSURzg0kJsKY2lhKkwCfXkfx E6JxPLbrhmGt1DH9FqtS+0U= =EbBw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists