Bugtraq mailing list archives
Cpanel Request Lets Authenticated Users Conduct Cross-Site Scripting Attacks
From: Fable <fable () hush com>
Date: 12 Mar 2004 04:47:30 -0000
#################################################### #Advisory Name: Cpanel Request Lets Authenticated Users Conduct Cross-#Site Scripting Attacks #Discovered by: Fable #Greets: 0x29A Crew, !AM Crew, Atomix, d3thstar, mgrd, rootthief.com. #Versions: ?? #################################################### ###Description### cPanel & WebHost Manager (WHM) is a next generation web hosting control panel system. Both cPanel & WHM are extremely feature rich as well as include an easy to use web based interface. ###vulnerability Description### Authenticated users are able to run cross-site scripting attacks. I noticed this vulnerability when trying to password protect a dictory. Here is an example of how you could run script on the cpanel server http://targetserver.com:2082/frontend/x/htaccess/dohtaccess.html?dir=><script>alert(0x29A Crew)</script> You are able to run all sorts of HTML on the target server, iframes, ect. -Fable [fable () hush com]
Current thread:
- Cpanel Request Lets Authenticated Users Conduct Cross-Site Scripting Attacks Fable (Mar 12)