XSS in scripts/passwdmysql?

Anybody have any other information about this reported vulnerability?

http://secunia.com/advisories/24106/

Looks like there's another XSS notice from a few days earlier, and that original vuln is also a CSRF too (IE, if you visit some evil webpage, it can have a hidden iframe pointing at:

Code:

https://yourserver.com:2087/scripts/passwdmysql?password=changedpw&user=root&submit=Change+Password

And poof, as soon as I see you've visited the webpage, I login to your mysql server as root with the pw it was reset to.

The changelog says something about a generic XSS cleanser -- anybody know more about that?

 

No, all the badguy has to do is get you to view a webpage of his anywhere else, he doesn't have to know your root password.

You obviously don't understand XSS or CSRF attacks.

I've already explained why XSS is serious once before.

Re-read what I wrote in the first post on this thread. If you are logged into your server and I can get you to visit any website I control, I can fool your client into changing your root mysql password to anything I want.

Does that make more sense? I don't have your root password, I never need to know it, I just need you to view any webpage that I control with the same browser you login to your cpanel with and I can make it take actions behind your back invisibly, like change your mysql root password to whatever I want.

Granted -- this doesn't mean I can suddenly write a tool that lets me break into every cpanel site in the world automatically, I have to target folks somewhat and do some a little bit of homework, but it's still a very serious vulnerability.