The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XSS in scripts/passwdmysql?

Discussion in 'General Discussion' started by jwiens, Feb 14, 2007.

  1. jwiens

    jwiens Member

    Joined:
    Mar 8, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Anybody have any other information about this reported vulnerability?

    http://secunia.com/advisories/24106/

    Looks like there's another XSS notice from a few days earlier, and that original vuln is also a CSRF too (IE, if you visit some evil webpage, it can have a hidden iframe pointing at:

    Code:
    https://yourserver.com:2087/scripts/passwdmysql?password=changedpw&user=root&submit=Change+Password
    And poof, as soon as I see you've visited the webpage, I login to your mysql server as root with the pw it was reset to.

    The changelog says something about a generic XSS cleanser -- anybody know more about that?
     
  2. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    in order for this to work . the attacker must have your root password. and ... face it if he has the root password he can easily change the mysql root pass from whm. why use xss and stuff? more convenient.

    use common sense for this :)
     
  3. jwiens

    jwiens Member

    Joined:
    Mar 8, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    No, all the badguy has to do is get you to view a webpage of his anywhere else, he doesn't have to know your root password.

    You obviously don't understand XSS or CSRF attacks. :)

    I've already explained why XSS is serious once before.

    Re-read what I wrote in the first post on this thread. If you are logged into your server and I can get you to visit any website I control, I can fool your client into changing your root mysql password to anything I want.

    Does that make more sense? I don't have your root password, I never need to know it, I just need you to view any webpage that I control with the same browser you login to your cpanel with and I can make it take actions behind your back invisibly, like change your mysql root password to whatever I want.

    Granted -- this doesn't mean I can suddenly write a tool that lets me break into every cpanel site in the world automatically, I have to target folks somewhat and do some a little bit of homework, but it's still a very serious vulnerability.
     
    #3 jwiens, Feb 15, 2007
    Last edited: Feb 15, 2007
Loading...

Share This Page