[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Multiple vulnerabilities in cPanel <= 60.0.34
===[ Introduction ]===
cPanel offers web hosting software that automates the intricate workings
of web hosting servers.
cPanel equips server administrators with the necessary tools to provide
top-notch hosting to customers on tens of thousands of servers worldwide.
===[ Description ]===
I) Cross Domain Scripting :
cookies and compromise the victim website.
POC : User "hacker" makes ".htmltemplates" directory in hacker's homepage
(/home/hacker/.htmltemplates/) and makes "exploit" file containing
But, the script is also accessible from other hosted domains (for example
Here, the hacker's code is running in another domain's area and
victim.com's cookies can be read.
A demonstrative video for this vulnerability can be found here :
II) Find existing system users :
Any unauthorized visitor can find valid system users.
POC : If the hacker calls "entropysearch.cgi" script with an invalid
username, the error message will be :
"Could not chdir into /.htmltemplates: No such file or directory"
But if the hacker calls "entropysearch.cgi" script with a valid username,
the error message will be :
"Could not chdir into /home/victim/.htmltemplates: No such file or directory"
The hacker can make a dictionary attack to find several valid usernames.
III) Find user's homepage :
If a hacker knows the username, then user's homepage address can be found.
"Could not chdir into /home2/victim/.htmltemplates: No such file or
This can be useful for further attacks.
===[ Patching ]===
cPanel believes that these are not security vulnerabilities, so the issue
already exist in.
===[ Timeline ]===
[06/12/2016] - Vendor notified
[06/12/2016] - Vendor verified reception of the report
[09/12/2016] - Vendor responded that these are not security vulnerabilities
[10/12/2016] - POC video sent to vendor explaining the severity of cross
domain scripting vulnerability
[06/01/2017] - No response from vendor, so vendor was contacted again
[11/01/2017] - No response from vendor, public disclosure
===[ Credits ]===
Vulnerabilities have been discovered by Omid @ Open Security.
===[ References ]===
Open Security :
Original Advisory :
POC Video :
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/