zPanel themes remote command execution as root

2013-05-15 / 2013-05-16
Credit: Kurt Seifried
Risk: High
Local: No
Remote: Yes
CWE: N/A

So I saw this earlier today: http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/ and flipped through the forum thread on the zpanel site, but didn't have time until now to deal with it. So first off: I saw all this stuff and read it before it was removed from the site (actually the entire site appears to be down now). So long and short: you upload a template with the following code: <& bogus ']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp"); echo $value['bogus &> and the command gets executed as root. From googling it appears that zPanel won't work with SELinux enabled, which makes sense (most web applications fail to ship an SELinux policy, so if they need to do strange things outside the default policy they generally tell you to simply disable SELinux). So if you run zPanel it would be normal to disable SELinux (to make zPanel work), so this root level access won't be restricted. This issue has been assigned CVE-2013-2097. There is also a mention of a CSRF but I couldn't find any additional information on it, if anyone knows about this please email me/oss-security with details.

References:

http://seclists.org/oss-sec/2013/q2/336
http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top