| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGKiU3kb3fKZL5OhoEOqCsnecm_A1oYnRtbZujvs=QVAuxhrjg@mail.gmail.com> Date: Wed, 19 Oct 2016 07:02:17 +1100 From: Finbar Crago <finbar.crago@...il.com> To: fulldisclosure@...lists.org Subject: [FD] cgiemail (included with cPanel) local file inclusion vulnerability cgiecho a script included with cgiemail will return any file under a websites document root if the file contains square brackets and the text within the brackets is guessable. e.g: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass'] will display http://hostname/login.php if it contains $_POST['pass'] This behaviour is listed as a 'small risk' in the original documentation (and back in 1998 it probably was). The issue is that cgiemail is still shipped with cPanel (enabled by default) and while they acknowledge the risks in the hosting administration panel i am unable to find any reference to this on the hosting client side. Considering how wide spread cPanel usage is and how easy this is to exploit i feel it should have a little more exposure... http://web.mit.edu/wwwdev/cgiemail/webmaster.html#security http://documentation.cpanel.net/display/1144Docs/Tweak+Settings+-+Security#TweakSettings-Security-CGIEmailandCGIEcho _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists