Sitelock reporting vulnerability on cpanel webmail login

whm-expert

Active Member
Nov 10, 2012
40
0
6
cPanel Access Level
DataCenter Provider
hello every one
i am using sitelock to protect one of our website. the website is using php CMS, and its have a php file that let the visitors directly login to their cpanel webmail.


when i log to "sitelock dashboard" i see this error error message "Vulnerable(1)"
URL:/http://xxxx.com/ar/webmail.php?login=&pass=1&port=2096&user=1
Cross site scripting vulnerability found in args:login,pass,port,user

please is there any other way to login to webmail without this problem?


please check the script below
==========================
Code:
<html>
<?php
$domain = "XXXX.COM";

if(!$_POST['login']) {
exit;
}

$user = $_POST['user'];
$pass = $_POST['pass'];
$port = $_POST['port'];

$port == "2096" || $port == "2087" || $port ==
"2083" ? $pre = "https://" : $pre = "http://";
$port == "2095" || $port == "2096" &&
!eregi("@", $user) ? $user =
"".$user."@".$domain."" : $user = $user;

?>
<body onLoad="setTimeout('document.forms[0].submit();',10)">
<form action="<?php echo
"".$pre."".$domain.":".$port."/login/";
?>" method="post">
<input type="hidden" name="user" value="<?php
echo $user; ?>">
<input type="hidden" name="pass" value="<?php
echo $pass; ?>">
</form>
</body>
</html>
==========================

regards