cPanel Malicious HTML Tags Injection Vulnerability

From: Ory Segal (ory.segalat_private)
Date: Sun Jul 06 2003 - 01:46:44 PDT

Next message: Rick: "rundll32.exe buffer overflow"

Previous message: Hugo : "XSS in OWA allows stealing windows domain user credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-------------------------------------------------------------------------------
-----[ cPanel Malicious HTML Tags Injection Vulnerability
-------------------------------------------------------------------------------

--[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com
--[ Discovery Date: 06/17/2003 (Vendor was notified)
--[ Release Date: 07/06/2003
--[ Product: Tested on cPanel 6.4.2-STABLE
--[ Severity: Medium
--[ CVE: Not assigned yet

--[ Summary

 From the vendor's web site:
"...The Cpanel interface is a client side interface, which allows your 
customers
to easily control a web hosting account. With the touch of a button, 
they can
add e-mail accounts, access their files, backup their files, setup a 
shopping
cart, and more..."

Web users can embed Malicious HTML tags in HTTP requests, which will later
be parsed by the web site administrator's browser, in several cPanel 
screens.
This may lead to theft of cookies associated with the domain, or 
execution of
client-side scripts in the administrator's browser.
 
--[ Description

The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web 
site
administrator with HTTP request logs. These scripts do not sanitize the 
URL part
of HTTP requests and present them to the administrator as is, thus, 
allowing an
attacker to embed malicious HTML tags that will later be parsed and 
executed by
the administrators browser.

For example, lets take a look at the 'Error Log' screen:

[From errlog.html]
...
<b>Last 300 Error Log Messages in reverse order:</b><hr>
<pre>
[Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist:
/home/dir/public_html/foobar.html
</pre>
...

The following request will present a pop-up screen with the cookies
that are currently associated with the domain:

  GET /<script>alert(document.cookie);</script> HTTP/1.0
  Host: www.site.com


--[ Note

The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) 
presented the
latest requests as HTML links, thus the malicious payload must terminate 
the <a>
tag before opening a new one. For example:

  GET /"></a><script>alert(document.cookie);</script> HTTP/1.0
  Host: www.site.com

--[ Solution

According to the vendor, the problem was fixed in version 7.0, which can be
downloaded at: http://www.cpanel.net/downloads.htm

Next message: Rick: "rundll32.exe buffer overflow"
Previous message: Hugo : "XSS in OWA allows stealing windows domain user credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 13:13:19 PDT