The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPanel Multiple Cross-Site Scripting Vulnerabilities BugTraq ID: 20683

Discussion in 'General Discussion' started by dlennon, Oct 26, 2006.

  1. dlennon

    dlennon Member
    PartnerNOC

    Joined:
    May 17, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    1. CPanel Multiple Cross-Site Scripting Vulnerabilities
    BugTraq ID: 20683
    Remote: Yes
    Last Updated: 2006-10-24
    Relevant URL: http://www.securityfocus.com/bid/20683
    Summary:
    cPanel is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

    An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

    cPanel version 10.9.0 is vulnerable; other versions may also be affected.



    Any info on what update has been released, how about a security forum dedicated to these types of issues? Just a suggestion.....

    -Damian
     
  2. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Sounds like a blanket statement of the whole Cpanel environment. Hope they are wrong.

    :(
     
  4. dlennon

    dlennon Member
    PartnerNOC

    Joined:
    May 17, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I see what you are referancing, it mentioned CentOS spicificly, can we get any confermation from cPanel that this has been resolved for other host OS?

    -Damian
     
  5. pjman

    pjman Well-Known Member

    Joined:
    Mar 22, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    It was fixed in release 56

    It was fixed in 56. So, if you're running Build 56 and up, you're cool!

    The former exploit required authentication, too! So, it was only local.
     
Loading...

Share This Page