lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <417391F7.3040505@drumnbass.art.pl>
From: appelast at drumnbass.art.pl (Karol Więsek)
Subject: cPanel hardlink backup issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Name: 			cPanel
Vendor URL: 		http://www.cpanel.net
Author: 		Karol Wi?sek <appelast@...mnbass.art.pl>
Date: 			July 19, 2004

Issue:
cPanel backup feature allows logged in users to read any file, including
they have not permission to read to.

Description:
cPanel is a next generation web hosting control panel system. cPanel is
extremely feature rich as well as include an easy to use web based
interface (GUI). cPanel is designed for the end users of your system and
allows them to control everything from adding / removing email accounts
to administering MySQL databases.

Details:
cPanel backup system allows attacker to insert into archive and then
download files, that he does not have permission to access. System
backup follows hard links ( thus it is only possible on the same
partition ) and copies it into tar.gz archive. Attacker could use php,
cgi, crontab or shell access to link file in his public_html to for
example /etc/shadow, and then execute backup ( Backup ->
Generate/Download a Full Backup ).

Exploit:
To exploit this vulnerability just link file you want to grab to some
file in $HOME and execute backup.

Tested on cPanel 9.4.1-RELEASE-64, and confirmed vulnerable.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBc5H3FTSet8AbQUQRAmjVAJ98lmc1n3EyPNJcgIWWA/vOxw5iTACgn49P
hu1+YqXtBgq6GUgakenO/RE=
=0j8K
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ