Blind SQL Injection in PostgreSQL

Mulyawan Sentosa

Registered
May 27, 2017
1
0
1
Indonesia
cPanel Access Level
Root Administrator
Hello,

I'm checking my web security by detectify.com, I found the severe issue found in cPanel. It's found at http://mydomain:2082/unprotected/loader.html. it said that there is Vulnerable GET variable goto_uri on that file, and An attacker can execute SQL code, which includes reading/writing to the database and possibly writing directly to the file system.

Please help how to solve this?

Thank you.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
I think you will need to switch the Home » Server Configuration » Tweak Settings ;
Security > Require SSL for cPanel Services to ON

and you may also want to switch

Redirection > Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” to ON as well
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look at that report and verify whether it's a false positive? You can post the ticket number here and we will update this thread with the outcome.

Thank you.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
detectify is likely mistaking the loader.html file for something in a completely different application.