cPanel Login Command Injection Vulnerability

[Domenico]

TITLE:
cPanel Login Command Injection Vulnerability

SECUNIA ADVISORY ID:
SA11124

VERIFY ADVISORY:
http://secunia.com/advisories/11124/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
cPanel 9.x

DESCRIPTION:
Arab VieruZ has reported a vulnerability in cPanel, allowing
malicious people to execute certain system commands on a vulnerable
system.

The problem is that user input passed to the "user" parameter in the
"login" section isn't properly verified before being used. This can
be exploited to inject various commands by supplying shell meta
characters.

Example:
http://[victim]:2082/login/?user=|"`id`"|

The vulnerability has been reported in version 9.1.0. Other versions
may also be affected.

SOLUTION:
Filter malicious characters and character sequences in a proxy or
firewall with URL filtering capabilities.

PROVIDED AND/OR DISCOVERED BY:
Arab VieruZ

[Steve-PWH]

This has been patched in latest forced update

[DN-Paul]

Quote:

Originally posted by Steve-PWH
This has been patched in latest forced update

Are you sure about that?
I'm running on cPanel 9.1.0-R72, is this one safe?

[nickn]

Quote:

Originally posted by DN-Paul
Are you sure about that?
I'm running on cPanel 9.1.0-R72, is this one safe?

+-------------------------------------------------------------+
Fri Mar 12 00:19:20 EST 2004
9.1.0-EDGE_41 (i686)
---------------------------------------------------------------
it would appear that the original fix doesn't totally close
the hole.. thanks to ameen for letting us check out
his logs
---------------------------------------------------------------

I believe that was the fix

[nickn]

Quote:

Originally posted by thaphantom
1) Yes this is fixed
2) Are you so damn stupid that you are going to post HOW TO DO A HACK INTO A PUBLIC FORUM!?!?!?!? /me shakes head... another dumbass

You know..they are worried about their server being exploitable, so they post on a forum full of thousands of users, and they feel obligated to also tell everyone how to exploit the server.

People, some things belong in tickets and not on the public forums.

[DN-Paul]

Quote:

Originally posted by thaphantom
1) Yes this is fixed

Thanks updated to r83 anyway.

Quote:

Originally posted by thaphantom
2) Are you so damn stupid that you are going to post HOW TO DO A HACK INTO A PUBLIC FORUM!?!?!?!? /me shakes head... another dumbass

Secunia is also a public website, more "wanna-be 'hackers'" are going to hang out there looking for new exploits, rather than these forums.

[nickn]

Quote:

Originally posted by DN-Paul
Thanks updated to r83 anyway.
Secunia is also a public website, more "wanna-be 'hackers'" are going to hang out there looking for new exploits, rather than these forums.

So because it's already been posted in public you feel the need to spread it out more? Two wrongs don't make a right...

[DN-Paul]

Quote:

Originally posted by snickn
So because it's already been posted in public you feel the need to spread it out more? Two wrongs don't make a right...

I wasn't aware that me posting the version of cpanel I'm using was spreading an exploit Although with all the recent holes, maybe mentioning you use cPanel is putting your servers at risk

[DN-Paul]

Quote:

Originally posted by thaphantom
While that may be true, you will get someone who sees it here and 'tries' it on their host and other dumbass shit like this. I have no problem with showing everyhting else as it is needed to let ppl know, but to post the actual exploit, common now

Since the exploit is on the secunia website, how do you suggest that someone links to the advisory, without showing the how to use the exploit part?

Surely your 'beef' should be with secunia for posting the exploit on their website, not with other members here for letting you know that your servers may be at risk?

It's kind of a lose-lose situation, if the original poster just posted saying there was a security hole that allowed people to do "bad stuff" you'd moan at them and not believe them and ask for proof, so then they post a link to an advisory as proof, and then you'll have a go at them for posting that link because it shows how to use the exploit (as most security advisories do, which I personally think is a bit stupid since these websites are supposed to be helping us stay secure).

[Website Rob]

It's a Pandora's box situation.

Fortunately, the poster used old information about a problem we no longer have to worry about.

[Dark_Wizard]

Quote:

Originally posted by snickn
You know..they are worried about their server being exploitable, so they post on a forum full of thousands of users, and they feel obligated to also tell everyone how to exploit the server.

People, some things belong in tickets and not on the public forums.

Agreed....this idiot just cost me alot of hours restoring my clients sites...what a f**king dumbass.

[DN-Paul]

Quote:

Originally posted by thaphantom
No its 100x better to submit a trouble ticekt. In this issue he could have posted everything BUT the exploit itself. Ppl would of had proof yet not the exploit.

So if I made a thread saying that there is an exploit in phpmyadmin that will allow me to delete all your databases and reboot your server, you'd believe me?

Dark_Wizard, why are you blaming the thread starter for your misfortune? I don't see how it's his/her fault that there was a hole in cpanel, or that it was posted on the internet (unless (s)he was the person who discovered it and posted it to secunia), you should also keep your boxen up to date, you live and learn.

[Domenico]

A laugh at the people who think I'm a dumbass!
The dumbasses are the ones that don't know about all the security sites that post these things way before I or someone else posts them here.

I just posted it here for the lazy admins among us. The real dumbasses are the ones who use these kind of exploits.

Think before you talk shit!


EDIT: this is not about the 'lost password' hack! Read carefully...

[looker2]

Domenico: Dont take their comments seriously. They are the "security by obscurity" people. Last week they had a long argument with this guy who said that the way cpanel deals with logins is insecure. They didnt like that either.
If you want to post in this forum and be safe from flaming you have to follow just two rules 1) say nice things about cPanel 2) do not, by any chance mention its insecure. Do that and you are safe.

looker2

[casey]

Quote:

Originally posted by Domenico
EDIT: this is not about the 'lost password' hack! Read carefully...

No, but it was fixed along with the resetpass.cgi hole. You're covered. I got it straight from cPanel support.