Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel Build 10.4.0-EDGE 254

Discussion in 'General Discussion' started by hostserver, Aug 11, 2005.

Thread Status:
Not open for further replies.
  1. hostserver

    hostserver Active Member

    May 27, 2005
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Please explain this problem?

    Thank you.
    General info :
    vuln application : Cpanel Build 10.4.0-EDGE 254
    vender :
    risk : Medium
    access : to all the domains hosted
    original advisory :
    Details :
    scenario :
    you are admin of a big hosting company , one of your customers wanted 10 mb hosting ,
    ok ah you are at home but how the hell he got the phone number anyway !
    you login to your cpanel as reseller you creat his account , creat the plan
    you USE your reseller passwd for him after the job is finished you change the
    password to urgonnohackme ! tomorrow you go to work , happy morning it is .
    but when you here that your 10000 customer sites had been defaced it completely changes
    to a terrific morning .
    also if a normal cpanel user change the pass to root by chance he wont know but
    when he change his passwd again he see all the domains listed for him !!!
    a sample movie created about how the vuln could be used :
    timeline :
    vender not contacted because of the great care venders give us !
    08 august 2005 : public disclosure
  2. chirpy

    chirpy Well-Known Member

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
Thread Status:
Not open for further replies.

Share This Page