Full Disclosure mailing list archives
Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to reset the DNS information of any domain name managed by the system.
From: "Zackarin Smitz" <zackerius12 () linuxmail org>
Date: Mon, 06 Jun 2005 14:01:16 +0800
Subject: Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to reset the DNS information of any domain name managed by the system. Severity: High; An attacker could render any domain managed by the system useless by resetting it's DNS information. Preamble: (Taken from http://www.lpanel.net/) Lpanel is a Complete Web Hosting Billing & Automation Suite that installs over cPanel, WHM. Created from the ground up from cPanel by web hosting administrators, Lpanel has everything a cPanel hosting business needs and will ever need. Constantly expanding to meet the quickly developing web hosting market, Lpanel is the only complete management solution available today for cPanel web hosts. From multi-staff tiers, automated signups, reseller management, network utilities, automated SSL, as well as a full array of Added Services and detailed efficiency reports - Lpanel is always steps ahead of the rest. Problem: The file diagnose.php allows for an attacker to reset the DNS servers of any domain name managed by the system. The file displays a form to the user with a drop down list box named domain. One can place a target domain into the drop down list box, and a full URI in the action attribute of the form, and have the DNS settings of the target domain reset by submitting the form. Workaround: This bug can be fixed by checking that the domain POST variable is actually a domain owned by the user of the current session. Vendor Contact: Lpanel.NET's Lpanel URL: http://www.lpanel.net/ Email: sales () lpanel net (I was unable to find a more relevant email contact) Mailing Address: Lpanel.NET PO Box 940876 Miami, Florida 33194-0056 United States Phone: 614-441-4838 Disclosure Timeline: Vendor Notified: June 6, 2005 Public Release: June 6, 2005 About the Author: The author is in between life paths at the moment, but is currently a software engineer at a company to remain unnamed. When not at his computer, the author enjoys doing a great many things, most of which he has lost all time for, or lacks people to do those things with in his current lifestyle. As such he finds more time for work, or just visits Blockbuster, and when all else fails, fabricates reports such as this. The author is posting this message anonymously in order to avoid potential legal consequences, although he is having trouble seeing any potential consequences as feasible, considering the vendor does not release a plain-text version of their license (the license is actually encoded, and when viewed, renders a PHP parse error). Greets: I'd like to say hi to the team with which I work; you're all great. I'd also like to say hello to swoolley and tautology. -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to reset the DNS information of any domain name managed by the system. Zackarin Smitz (Jun 05)