Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection.

["Zackarin Smitz" <zackerius12 () linuxmail org>]

Subject:
Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via 
script injection.


Severity:
High; Full access to all client functions can be obtained with little effort, putting entire installations of the 
software and its users at risk.


Preamble:
(Taken from http://www.lpanel.net/)
Lpanel is a Complete Web Hosting Billing & Automation Suite that installs over cPanel, WHM.

Created from the ground up from cPanel by web hosting administrators, Lpanel has everything a cPanel hosting business 
needs and will ever need. Constantly expanding to meet the quickly developing web hosting market, Lpanel is the only 
complete management solution available today for cPanel web hosts. From multi-staff tiers, automated signups, reseller 
management, network utilities, automated SSL, as well as a full array of “Added Services” and detailed efficiency 
reports - Lpanel is always steps ahead of the rest.


Problem:
Lpanel.NET's Lpanel is vulnerable to plain-text credential leakage due to a bug in the use of a GET variable within the 
system. Using this bug maliciously, an attacker could gain unauthorized access to the plain-text session credentials of 
other users in the system. The attacker needs absolutely no access to the system to exploit this vulnerability. The 
targeted variable is the “pid” GET variable, often sent to view_ticket.php (i.e. 
http://yourdomain.com/lpanel/help/view_ticket.php?pid=50). An attacker can insert malicious URL encoded javascript into 
the GET variable, and cause view clients to forfeit their session information to javascript. An example malicious URL 
would be:

http://yourdomain.com/lpanel/help/view_ticket.php?pid=%22%3E%3C%2Ftd%3E%3Cscript+language%3Djavascript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

However the above URL does not actually instruct the client's browser to send out the session information, it merely 
proves the validity of the vulnerability. Thus an attacker could persuade an innocent system user to click the link, 
and with the appropriate javascript inserted into the URL, have session information forwarded to themselves, thus 
giving them access to that client's session. Once session information was acquired, the attacker would need simply to 
insert the user's session information as cookies into their own browser, and hit the installation of Lpanel, thus 
gaining full unauthorized access to the user's account, credentials, and functions.


Workaround:
This bug can be fixed by securing the “pid” variable before use. An alternative workaround would be to use another 
vendor, that secures user input. Perhaps this vulnerability would've been caught in the initial stages of development 
had the product been released open source, making case for one to seek out an open source solution, or at least a 
solution with a better proven track record. “Lpanel is always steps ahead of the rest.” -- Negative.


Vendor Contact:
Lpanel.NET's Lpanel
URL: http://www.lpanel.net/
Email: sales () lpanel net (I was unable to find a more relevant email contact)
Mailing Address:
  Lpanel.NET
  PO Box 940876
  Miami, Florida 33194-0056
  United States
Phone: 614-441-4838


Disclosure Timeline:
Vendor Notified: June 6, 2005
Public Release: June 6, 2005


About the Author:
The author is in between life paths at the moment, but is currently a software engineer at a company to remain unnamed. 
When not at his computer, the author enjoys doing a great many things, most of which he has lost all time for, or lacks 
people to do those things with in his current lifestyle. As such he finds more time for work, or just visits 
Blockbuster, and when all else fails, fabricates reports such as this.

The author is posting this message anonymously in order to avoid potential legal consequences, although he is having 
trouble seeing any potential consequences as feasible, considering the vendor does not release a plain-text version of 
their license (the license is actually encoded, and when viewed, renders a PHP parse error).


Greets:
I'd like to say hi to the team with which I work; you're all great. I'd also like to say hello to swoolley and 
tautology.

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/