//////////////////////////////////////////////////////////////////////////// /// //==========================>> Security Advisory <<==========================// //////////////////////////////////////////////////////////////////////////// /// ---------------------------------------------------------------------------- --- -----[ cPanel Malicious HTML Tags Injection Vulnerability ---------------------------------------------------------------------------- --- --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com --[ Discovery Date: 06/17/2003 (Vendor was notified) --[ Release Date: 07/06/2003 --[ Product: Tested on cPanel 6.4.2-STABLE --[ Severity: Medium --[ CVE: Not assigned yet --[ Summary From the vendor's web site: "...The Cpanel interface is a client side interface, which allows your customers to easily control a web hosting account. With the touch of a button, they can add e-mail accounts, access their files, backup their files, setup a shopping cart, and more..." Web users can embed Malicious HTML tags in HTTP requests, which will later be parsed by the web site administrator's browser, in several cPanel screens. This may lead to theft of cookies associated with the domain, or execution of client-side scripts in the administrator's browser. --[ Description The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web site administrator with HTTP request logs. These scripts do not sanitize the URL part of HTTP requests and present them to the administrator as is, thus, allowing an attacker to embed malicious HTML tags that will later be parsed and executed by the administrators browser. For example, lets take a look at the 'Error Log' screen: [From errlog.html] ... <b>Last 300 Error Log Messages in reverse order:</b><hr> <pre> [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: /home/dir/public_html/foobar.html </pre> ... The following request will present a pop-up screen with the cookies that are currently associated with the domain: GET /<script>alert(document.cookie);</script> HTTP/1.0 Host: www.site.com --[ Note The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented the latest requests as HTML links, thus the malicious payload must terminate the <a> tag before opening a new one. For example: GET /"></a><script>alert(document.cookie);</script> HTTP/1.0 Host: www.site.com --[ Solution According to the vendor, the problem was fixed in version 7.0, which can be downloaded at: http://www.cpanel.net/downloads.htm Ory Segal Senior Security Engineer Sanctum, Inc. http://www.SanctumInc.Com/ Ampa Bldg., 1 Sapir Street. Mail: P.O.Box 12047 Herzliya 46733, ISRAEL Tel: +972-9-9586077 Ext. 236 Fax: +972-9-9576337 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sun Jul 06 2003 - 02:05:20 PDT