The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel User Parameter Cross-Site Scripting Vulnerability [old]

Discussion in 'General Discussion' started by maaking, Jul 16, 2005.

  1. maaking

    maaking Member

    Joined:
    May 28, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    No exploit is required.

    The following proof of concept has been provided:
    http://www.example.com:2082/login?user=**<script>JavaScript:alert(document.cookie);</script>


    It is reported that cPanel is prone to a cross-site scripting vulnerability that may allow a remote attacker to execute HTML or script code in a user's browser. The issue presents itself due to insufficient sanitization of user-supplied data via the 'user' parameter of the 'login' page.

    Due to the possibility of attacker-specified HTML and script code being rendered in a victim's browser, it is possible to steal cookie-based authentication credentials from that user. Other attacks are possible as well.


    Solution:
    Currently we are not aware of any patches for this issue.

    read this for more:
    http://www.securityfocus.com/bid/13996/exploit
     
  2. challii

    challii Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Did you actually read any of this article? Check bugzilla before posting here? check the changelog?

    Well if you had then you would realise that this only effects old versions of cPanel, and since this security release was published nearly a month ago... please dont post rubbish!
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed, it was fixed a long time ago.
     
Loading...

Share This Page