The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Login Command Injection Vulnerability

Discussion in 'General Discussion' started by Domenico, Mar 15, 2004.

  1. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    TITLE:
    cPanel Login Command Injection Vulnerability

    SECUNIA ADVISORY ID:
    SA11124

    VERIFY ADVISORY:
    http://secunia.com/advisories/11124/

    CRITICAL:
    Highly critical

    IMPACT:
    System access

    WHERE:
    From remote

    SOFTWARE:
    cPanel 9.x

    DESCRIPTION:
    Arab VieruZ has reported a vulnerability in cPanel, allowing
    malicious people to execute certain system commands on a vulnerable
    system.

    The problem is that user input passed to the "user" parameter in the
    "login" section isn't properly verified before being used. This can
    be exploited to inject various commands by supplying shell meta
    characters.

    Example:
    http://[victim]:2082/login/?user=|"`id`"|

    The vulnerability has been reported in version 9.1.0. Other versions
    may also be affected.

    SOLUTION:
    Filter malicious characters and character sequences in a proxy or
    firewall with URL filtering capabilities.

    PROVIDED AND/OR DISCOVERED BY:
    Arab VieruZ
     
  2. Steve-PWH

    Steve-PWH Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    This has been patched in latest forced update
     
  3. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Are you sure about that?
    I'm running on cPanel 9.1.0-R72, is this one safe?
     
  4. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    +-------------------------------------------------------------+
    Fri Mar 12 00:19:20 EST 2004
    9.1.0-EDGE_41 (i686)
    ---------------------------------------------------------------
    it would appear that the original fix doesn't totally close
    the hole.. thanks to ameen for letting us check out
    his logs
    ---------------------------------------------------------------

    I believe that was the fix :)
     
  5. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    You know..they are worried about their server being exploitable, so they post on a forum full of thousands of users, and they feel obligated to also tell everyone how to exploit the server.

    People, some things belong in tickets and not on the public forums.
     
  6. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Thanks :) updated to r83 anyway.
    Secunia is also a public website, more "wanna-be 'hackers'" are going to hang out there looking for new exploits, rather than these forums.
     
  7. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    So because it's already been posted in public you feel the need to spread it out more? Two wrongs don't make a right...
     
  8. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    :confused: I wasn't aware that me posting the version of cpanel I'm using was spreading an exploit ;) Although with all the recent holes, maybe mentioning you use cPanel is putting your servers at risk :rolleyes:
     
  9. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Since the exploit is on the secunia website, how do you suggest that someone links to the advisory, without showing the how to use the exploit part?

    Surely your 'beef' should be with secunia for posting the exploit on their website, not with other members here for letting you know that your servers may be at risk?

    It's kind of a lose-lose situation, if the original poster just posted saying there was a security hole that allowed people to do "bad stuff" you'd moan at them and not believe them and ask for proof, so then they post a link to an advisory as proof, and then you'll have a go at them for posting that link because it shows how to use the exploit (as most security advisories do, which I personally think is a bit stupid since these websites are supposed to be helping us stay secure).
     
    #9 DN-Paul, Mar 15, 2004
    Last edited: Mar 15, 2004
  10. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    It's a Pandora's box situation.

    Fortunately, the poster used old information about a problem we no longer have to worry about.
     
  11. Dark_Wizard

    Dark_Wizard Registered

    Joined:
    Mar 15, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Agreed....this idiot just cost me alot of hours restoring my clients sites...what a f**king dumbass.
     
  12. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    So if I made a thread saying that there is an exploit in phpmyadmin that will allow me to delete all your databases and reboot your server, you'd believe me?

    Dark_Wizard, why are you blaming the thread starter for your misfortune? I don't see how it's his/her fault that there was a hole in cpanel, or that it was posted on the internet (unless (s)he was the person who discovered it and posted it to secunia), you should also keep your boxen up to date, you live and learn.
     
  13. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    A laugh at the people who think I'm a dumbass! :)
    The dumbasses are the ones that don't know about all the security sites that post these things way before I or someone else posts them here.

    I just posted it here for the lazy admins among us. The real dumbasses are the ones who use these kind of exploits.

    Think before you talk shit!


    EDIT: this is not about the 'lost password' hack! Read carefully...
     
    #13 Domenico, Mar 15, 2004
    Last edited: Mar 15, 2004
  14. looker2

    looker2 Registered

    Joined:
    Mar 15, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Domenico: Dont take their comments seriously. They are the "security by obscurity" people. Last week they had a long argument with this guy who said that the way cpanel deals with logins is insecure. They didnt like that either.
    If you want to post in this forum and be safe from flaming you have to follow just two rules 1) say nice things about cPanel 2) do not, by any chance mention its insecure. Do that and you are safe.

    looker2
     
  15. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    No, but it was fixed along with the resetpass.cgi hole. You're covered. I got it straight from cPanel support.
     
  16. WCW Fan

    WCW Fan Well-Known Member

    Joined:
    Sep 22, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    is this fixed in the latest stable version ?
     
  17. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    No cpanel servers should be vulnerable to this anymore. Cpanel themselves hacked those that were in order to patch them.
     
  18. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    But it is old news. This exploit was posted and patched along with the "lost password" hack.
     
  19. oldengine

    oldengine Active Member

    Joined:
    Dec 23, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Does it take too much effort to refer to the "latest update" by its number? There are THREE versions EDGE, RELEASE and STABLE, each with numbers that appear in the upper right hand corner. It would be a lot simpler to use them rather than having to poke around to find out what the LATEST is as of when.
     
  20. zex

    zex Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I think that people on this forum deserve that cpanel officaly say to us wich version are secure and wich are not.

    I had before day's rootkit and I spend hell-weekend just becouse I didn't know that there is autorootkit for cpanel.
    I think that in any case custumers have right to know about all problems, If we continue to keep things just for our selves, and not share information we may just forgot about security and give keys of our servers to people who know better than us wich version are vurnelable or wich software have bugs.
     
Loading...

Share This Page