Major Cpanel Expliot HTML Injection
Major Bug found 6/7/04
Discovered by Verb0s
Reseller accounts with cpanel, in the password modification page, can insert a
basic injection
ex:http://(domain):2086/scripts/passwd?password=<>&domain=<>&user=<>
The code will modify all the mysql database passwords, in which the reseller
shouldnb't have permissions. From there, someone could take over someones site
that may be sql based, on the same server as them.
How to fix the problem:
After my immediate contact with cpanel. they updated and fixed all permission
problems : 6/8/04
Update your Cpanel ASAP