ignore security and it'll go away

Easy Hosting Control Panel 0.37.9 Bypass / File Upload / Disclosure

Easy Hosting Control Panel 0.37.9 Bypass / File Upload / Disclosure
Posted Mar 30, 2016
Authored by Kyle Lovett

Easy Hosting Control Panel versions 0.29 through 0.37.9 suffer from information disclosure, authentication bypass, clear text password storage, and remote file upload vulnerabilities.

tags | exploit, remote, vulnerability, bypass, info disclosure, file upload
MD5 | 9d781120ac3ccba338e1aeb6ce565e1c

Easy Hosting Control Panel 0.37.9 Bypass / File Upload / Disclosure

Change Mirror Download
EHCP Easy Hosting Control Panel
Multiple Vulnerabilities -
Clear Text MySQL Root Password
Insufficiently Protected Sensitive Data
Authentication Bypass
Unauthenticated Arbitrary File Upload

Software Links:
https://launchpad.net/ehcp
http://www.ehcp.net
https://sourceforge.net/p/ehcp/wiki/
--------------------------------------------------------------------------------------------
Description:
“ehcp is a hosting control panel, for multiple domains on single
machine. easily installable,easy usage, non-complex,functional.
homepage:http://www.ehcp.net * automatically installs and works: dns,
apache, mysql, ftp, email, domains and auto updates”
--------------------------------------------------------------------------------------------

CWE-256: Plaintext Storage of a Password
CWE-522: Insufficiently Protected Credentials
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
Access : Remote (All Vulnerabilities)
Complexity : Low (All Vulnerabilities)

Currently, many resellers are using this software to manage multiple
customer domains, which in many cases also exposes ssh and mysql ports
to the outside world.

All known versions between 0.29 and 0.37.9 are affected. Earlier
versions may be impacted as well.
ver 0.37.9
ver 0.30.6
ver.0.29.15
ver 0.29.13

--------------------------------------------------------------------------------------------
#1 Plaintext Storage of a Password
By browsing directly to http://<IP>/ehcp/ehcpbackup.php sensitive
information regarding the web server, local OS and SQL DB are exposed
without authentication. This almost always includes the MySQL root
password in clear text via the exposure of a mysqldump action. These
credentials can be used to log directly into PHPMYADMIN. The
ehcpbackup.php file also exposes the dir listing of the ehcp directory
itself, local file paths, all databases and domains associated with
that EHCP build as well as domain useranmes.

As with almost every file in the EHCP software suite, the permissions
are set to -rw-r--r--

http://<IP>/ehcp/ehcpbackup.php

Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues

--------------------------------------------------------------------------------------------
#2 Unauthenticated File upload
Unauthenticated file upload By browsing to any of the following four
URLs, a remote attacker can upload any file which then is stored in a
phptmpdir directory. It does not appear to validate either the user
uploading nor the file type.

http://<IP>/ehcp/test/up2.php
http://<IP>/ehcp/test/upload2.php
http://<IP>/ehcp/test/upload.php
http://<IP>/ehcp/test/up.php

Access : Remote
Complexity : Low
CWE-592: Authentication Bypass Issues
CWE-434: Unrestricted Upload of File

--------------------------------------------------------------------------------------------
#3 Information Disclosure
The following URL pathways can be remotely browsed to without
authentication. They all give various amounts of information
disclosure which exposes almost all of the underworking directory and
functions of the Hosting software, SQL tables and database queries.

http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/phpsysinfo
http://<IP>/ehcp/apache_default.conf
http://<IP>/ehcp/apachehcp_auth.conf
http://<IP>/ehcp/apachehcp.conf
http://<IP>/ehcp/apachehcp_passivedomains.conf
http://<IP>/ehcp/apachehcp_subdomains.conf
http://<IP>/ehcp/apache_subdomain_template
http://<IP>/ehcp/apache_subdomain_template_ipbased
http://<IP>/ehcp/apachetemplate
http://<IP>/ehcp/apachetemplate_ipbased
http://<IP>/ehcp/apachetemplate_passivedomains
http://<IP>/ehcp/ehcp-apt-get-install.log
http://<IP>/ehcp/ehcpbackup.php
http://<IP>/ehcp/ehcpdaemon2.sh
http://<IP>/ehcp/install_log.txt
http://<IP>/ehcp/install.sh
http://<IP>/ehcp/LocalServer.cnf
http://<IP>/ehcp/ehcp_daemon.py
http://<IP>/ehcp/ehcpdaemon.sh
http://<IP>/ehcp/ehcp_fix_apache.php
http://<IP>/ehcp/ehcpinfo.html
http://<IP>/ehcp/ehcp_postfix2.sh
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/ehcp/ehcp.sql
http://<IP>/ehcp/ehcp_upgrade.sh
http://<IP>/ehcp/ehcpupgrade.sql
http://<IP>/ehcp/checkapacheconfig.sh
http://<IP>/ehcp/checkapache.sh
http://<IP>/ehcp/etc/apache2/apache_subdomain_template
http://<IP>/ehcp/etc/apache2/apache_subdomain_template_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate
http://<IP>/ehcp/etc/apache2/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2/default
http://<IP>/ehcp/etc/apache2/ports.conf
http://<IP>/ehcp/etc/apache2_ssl/apache_subdomain_template
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2_ssl/default
http://<IP>/ehcp/etc/apache2_ssl/default-ssl
http://<IP>/ehcp/etc/apache2_ssl/ports.conf
http://<IP>/ehcp/etc/logrotate.d/ehcp
http://<IP>/ehcp/named_ehcp.conf
http://<IP>/ehcp/phpadmin.php
http://<IP>/ehcp/phpmyadmin.conf
http://<IP>/ehcp/pop-before-smtp.conf
http://<IP>/ehcp/resetmysqlrootpass.sh
http://<IP>/ehcp/scriptsupdate.sql
http://<IP>/ehcp/scriptsupdate.sql.html
http://<IP>/ehcp/setup.sh
http://<IP>/ehcp/smtpd.cert
http://<IP>/ehcp/smtpd.key
http://<IP>/ehcp/ssh2.sh
http://<IP>/ehcp/stats.php
http://<IP>/ehcp/misc/importexport.php
http://<IP>/ehcp/misc/mysqltroubleshooter.php
http://<IP>/ehcp/misc/redirect_index.html
http://<IP>/ehcp/misc/serverstatus.sh


Access : Remote
Complexity : Low
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues

--------------------------------------------------------------------------------------------

Timeline: In late February the Vendor was contacted via email, which
was followed up with a full bug report at https://launchpad.net/ehcp.
While the vendor did reply to acknowledge the bugs, no timeframe nor
any other information was given for when a fix would be complete.
Vendor did not respond to any further followup correspondence.

There is no known work around at this time other than
disabling EHCP suite completely, and switching to a more secure
solution until these issues can be patched.

While the gui interface mechanisms does an OK job locking down the
masked url front end web calls it makes, the entire backend files
which are being called, can be directly accessed, bypassing the need
to use the GUI interface.

Research Contact: Kyle Lovett
March 29, 2016

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    2 Files
  • 23
    Oct 23rd
    16 Files
  • 24
    Oct 24th
    4 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close