Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

cPanel hardlink chown issue
From: Karol Więsek <appelast () drumnbass art pl>
Date: Mon, 18 Oct 2004 11:51:02 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Name:                   cPanel
Vendor URL:             http://www.cpanel.net
Author:                 Karol Więsek <appelast () drumnbass art pl>
Date:                   July 31, 2004

Issue:
cPanel allows logged in users to change ownership of any file to their
uid:gid.

Description:
cPanel is a next generation web hosting control panel system. cPanel is
extremely feature rich as well as include an easy to use web based
interface (GUI). cPanel is designed for the end users of your system and
allows them to control everything from adding / removing email accounts
to administering MySQL databases.

Details:
cPanel allows users to turn on/off front fage extensions. It is done
with effective uid of system administrator ( root ). During this process
is created special .htaccess file, and then it is chown() to target
user. Attacker could link .htaccess to any file in the same partition,
thus it will be chown()ed.

Exploit:
To exploit this vulnerability just link file you want to grab to
.htaccess in users public_html, and execute installation of frontpage
extensions.

Tested on cPanel 9.4.1-RELEASE-64, and confirmed vulnerable.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBc5IGFTSet8AbQUQRAnZFAJsHuMk3cizlBSURzg0kJsKY2lhKkwCfXkfx
E6JxPLbrhmGt1DH9FqtS+0U=
=EbBw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • cPanel hardlink chown issue Karol Więsek (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]