EHCP Easy Hosting Control Panel
Multiple Vulnerabilities -
Clear Text MySQL Root Password
Insufficiently Protected Sensitive Data
Authentication Bypass
Unauthenticated Arbitrary File Upload
Software Links:
https://launchpad.net/ehcp
http://www.ehcp.net
https://sourceforge.net/p/ehcp/wiki/
--------------------------------------------------------------------------------------------
Description:
“ehcp is a hosting control panel, for multiple domains on single
machine. easily installable,easy usage, non-complex,functional.
homepage:http://www.ehcp.net * automatically installs and works: dns,
apache, mysql, ftp, email, domains and auto updates”
--------------------------------------------------------------------------------------------
CWE-256: Plaintext Storage of a Password
CWE-522: Insufficiently Protected Credentials
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
Access : Remote (All Vulnerabilities)
Complexity : Low (All Vulnerabilities)
Currently, many resellers are using this software to manage multiple
customer domains, which in many cases also exposes ssh and mysql ports
to the outside world.
All known versions between 0.29 and 0.37.9 are affected. Earlier
versions may be impacted as well.
ver 0.37.9
ver 0.30.6
ver.0.29.15
ver 0.29.13
--------------------------------------------------------------------------------------------
#1 Plaintext Storage of a Password
By browsing directly to http://<IP>/ehcp/ehcpbackup.php sensitive
information regarding the web server, local OS and SQL DB are exposed
without authentication. This almost always includes the MySQL root
password in clear text via the exposure of a mysqldump action. These
credentials can be used to log directly into PHPMYADMIN. The
ehcpbackup.php file also exposes the dir listing of the ehcp directory
itself, local file paths, all databases and domains associated with
that EHCP build as well as domain useranmes.
As with almost every file in the EHCP software suite, the permissions
are set to -rw-r--r--
http://<IP>/ehcp/ehcpbackup.php
Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
--------------------------------------------------------------------------------------------
#2 Unauthenticated File upload
Unauthenticated file upload By browsing to any of the following four
URLs, a remote attacker can upload any file which then is stored in a
phptmpdir directory. It does not appear to validate either the user
uploading nor the file type.
http://<IP>/ehcp/test/up2.php
http://<IP>/ehcp/test/upload2.php
http://<IP>/ehcp/test/upload.php
http://<IP>/ehcp/test/up.php
Access : Remote
Complexity : Low
CWE-592: Authentication Bypass Issues
CWE-434: Unrestricted Upload of File
--------------------------------------------------------------------------------------------
#3 Information Disclosure
The following URL pathways can be remotely browsed to without
authentication. They all give various amounts of information
disclosure which exposes almost all of the underworking directory and
functions of the Hosting software, SQL tables and database queries.
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/phpsysinfo
http://<IP>/ehcp/apache_default.conf
http://<IP>/ehcp/apachehcp_auth.conf
http://<IP>/ehcp/apachehcp.conf
http://<IP>/ehcp/apachehcp_passivedomains.conf
http://<IP>/ehcp/apachehcp_subdomains.conf
http://<IP>/ehcp/apache_subdomain_template
http://<IP>/ehcp/apache_subdomain_template_ipbased
http://<IP>/ehcp/apachetemplate
http://<IP>/ehcp/apachetemplate_ipbased
http://<IP>/ehcp/apachetemplate_passivedomains
http://<IP>/ehcp/ehcp-apt-get-install.log
http://<IP>/ehcp/ehcpbackup.php
http://<IP>/ehcp/ehcpdaemon2.sh
http://<IP>/ehcp/install_log.txt
http://<IP>/ehcp/install.sh
http://<IP>/ehcp/LocalServer.cnf
http://<IP>/ehcp/ehcp_daemon.py
http://<IP>/ehcp/ehcpdaemon.sh
http://<IP>/ehcp/ehcp_fix_apache.php
http://<IP>/ehcp/ehcpinfo.html
http://<IP>/ehcp/ehcp_postfix2.sh
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/ehcp/ehcp.sql
http://<IP>/ehcp/ehcp_upgrade.sh
http://<IP>/ehcp/ehcpupgrade.sql
http://<IP>/ehcp/checkapacheconfig.sh
http://<IP>/ehcp/checkapache.sh
http://<IP>/ehcp/etc/apache2/apache_subdomain_template
http://<IP>/ehcp/etc/apache2/apache_subdomain_template_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate
http://<IP>/ehcp/etc/apache2/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2/default
http://<IP>/ehcp/etc/apache2/ports.conf
http://<IP>/ehcp/etc/apache2_ssl/apache_subdomain_template
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2_ssl/default
http://<IP>/ehcp/etc/apache2_ssl/default-ssl
http://<IP>/ehcp/etc/apache2_ssl/ports.conf
http://<IP>/ehcp/etc/logrotate.d/ehcp
http://<IP>/ehcp/named_ehcp.conf
http://<IP>/ehcp/phpadmin.php
http://<IP>/ehcp/phpmyadmin.conf
http://<IP>/ehcp/pop-before-smtp.conf
http://<IP>/ehcp/resetmysqlrootpass.sh
http://<IP>/ehcp/scriptsupdate.sql
http://<IP>/ehcp/scriptsupdate.sql.html
http://<IP>/ehcp/setup.sh
http://<IP>/ehcp/smtpd.cert
http://<IP>/ehcp/smtpd.key
http://<IP>/ehcp/ssh2.sh
http://<IP>/ehcp/stats.php
http://<IP>/ehcp/misc/importexport.php
http://<IP>/ehcp/misc/mysqltroubleshooter.php
http://<IP>/ehcp/misc/redirect_index.html
http://<IP>/ehcp/misc/serverstatus.sh
Access : Remote
Complexity : Low
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
--------------------------------------------------------------------------------------------
Timeline: In late February the Vendor was contacted via email, which
was followed up with a full bug report at https://launchpad.net/ehcp.
While the vendor did reply to acknowledge the bugs, no timeframe nor
any other information was given for when a fix would be complete.
Vendor did not respond to any further followup correspondence.
There is no known work around at this time other than
disabling EHCP suite completely, and switching to a more secure
solution until these issues can be patched.
While the gui interface mechanisms does an OK job locking down the
masked url front end web calls it makes, the entire backend files
which are being called, can be directly accessed, bypassing the need
to use the GUI interface.
Research Contact: Kyle Lovett
March 29, 2016