lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: ORY.SEGAL at SANCTUMINC.COM (Ory Segal)
Subject: cPanel Malicious HTML Tags Injection Vulnerability

////////////////////////////////////////////////////////////////////////////
///
//==========================>> Security Advisory
<<==========================//
////////////////////////////////////////////////////////////////////////////
///

----------------------------------------------------------------------------
---
-----[ cPanel Malicious HTML Tags Injection Vulnerability
----------------------------------------------------------------------------
---

--[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com
--[ Discovery Date: 06/17/2003 (Vendor was notified)
--[ Release Date: 07/06/2003 
--[ Product: Tested on cPanel 6.4.2-STABLE
--[ Severity: Medium
--[ CVE: Not assigned yet

--[ Summary

>From the vendor's web site:
"...The Cpanel interface is a client side interface, which allows your
customers 
to easily control a web hosting account. With the touch of a button, they
can 
add e-mail accounts, access their files, backup their files, setup a
shopping 
cart, and more..."

Web users can embed Malicious HTML tags in HTTP requests, which will later 
be parsed by the web site administrator's browser, in several cPanel
screens. 
This may lead to theft of cookies associated with the domain, or execution
of 
client-side scripts in the administrator's browser.
 
--[ Description

The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web
site 
administrator with HTTP request logs. These scripts do not sanitize the URL
part 
of HTTP requests and present them to the administrator as is, thus, allowing
an 
attacker to embed malicious HTML tags that will later be parsed and executed
by 
the administrators browser.

For example, lets take a look at the 'Error Log' screen:

[From errlog.html]
...
<b>Last 300 Error Log Messages in reverse order:</b><hr>
<pre>
[Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: 
/home/dir/public_html/foobar.html
</pre>
...

The following request will present a pop-up screen with the cookies 
that are currently associated with the domain:

  GET /<script>alert(document.cookie);</script> HTTP/1.0
  Host: www.site.com


--[ Note

The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented
the 
latest requests as HTML links, thus the malicious payload must terminate the
<a> 
tag before opening a new one. For example:

  GET /"></a><script>alert(document.cookie);</script> HTTP/1.0
  Host: www.site.com

--[ Solution

According to the vendor, the problem was fixed in version 7.0, which can be 
downloaded at: http://www.cpanel.net/downloads.htm




          Ory Segal
  Senior Security Engineer
        Sanctum, Inc.
 http://www.SanctumInc.Com/

Ampa Bldg.,  1 Sapir Street.
Mail:     P.O.Box      12047
Herzliya    46733,    ISRAEL

Tel: +972-9-9586077 Ext. 236
Fax: +972-9-9576337

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030706/6a0c464a/attachment.html

Powered by blists - more mailing lists