| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 23 Mar 2004 17:39:07 -0000 From: Fable <fable@...h.com> To: bugtraq@...urityfocus.com Subject: More Cpanel Vuls (cross site scripting) ################################################## ##Advisory Name: More Cpanel Vuls (cross site scripting) #Discovered by: Fable #Greets: 0x29A Crew, !AM Crew, Atomix, d3thstar, mgrd, rootthief.com. #Version Tested On: cPanel Build 9.1.0-STABLE 93 ##Most likely effects more ################################################## ############ #Description ############ cPanel & WebHost Manager (WHM) is a next generation web hosting control panel system. Both cPanel & WHM are extremely feature rich as well as include an easy to use web based interface. ############## #Vulnerability ############## After some looking into, I found out that cPanel uses little or no html filters in their product. It's very simple to inject html in multiple areas in cpanel. I'll list the ones I've found so far. http://site.com:2082/frontend/x/mail/dodelautores.html?email=<script>alert(document.cookie)</script> http://site.com:2082/frontend/x/mime/addhandle.html?ext=phpz&handle=<script>alert(document.cookie</script> Note: Those should appear as < script > and < /script > with out the spaces of course.
Powered by blists - more mailing lists