Subject:
Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection.


Severity:
High; Full access to all client functions can be obtained with little effort, putting entire installations of the software and its users at risk.


Preamble:
(Taken from http://www.lpanel.net/)
Lpanel is a Complete Web Hosting Billing & Automation Suite that installs over cPanel, WHM.

Created from the ground up from cPanel by web hosting administrators, Lpanel has everything a cPanel hosting business needs and will ever need. Constantly expanding to meet the quickly developing web hosting market, Lpanel is the only complete management solution available today for cPanel web hosts. From multi-staff tiers, automated signups, reseller management, network utilities, automated SSL, as well as a full array of “Added Services” and detailed efficiency reports - Lpanel is always steps ahead of the rest.


Problem:
Lpanel.NET's Lpanel is vulnerable to plain-text credential leakage due to a bug in the use of a GET variable within the system. Using this bug maliciously, an attacker could gain unauthorized access to the plain-text session credentials of other users in the system. The attacker needs absolutely no access to the system to exploit this vulnerability. The targeted variable is the “pid” GET variable, often sent to view_ticket.php (i.e. http://yourdomain.com/lpanel/help/view_ticket.php?pid=50). An attacker can insert malicious URL encoded javascript into the GET variable, and cause view clients to forfeit their session information to javascript. An example malicious URL would be:

http://yourdomain.com/lpanel/help/view_ticket.php?pid=%22%3E%3C%2Ftd%3E%3Cscript+language%3Djavascript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

However the above URL does not actually instruct the client's browser to send out the session information, it merely proves the validity of the vulnerability. Thus an attacker could persuade an innocent system user to click the link, and with the appropriate javascript inserted into the URL, have session information forwarded to themselves, thus giving them access to that client's session. Once session information was acquired, the attacker would need simply to insert the user's session information as cookies into their own browser, and hit the installation of Lpanel, thus gaining full unauthorized access to the user's account, credentials, and functions.


Workaround:
This bug can be fixed by securing the “pid” variable before use. An alternative workaround would be to use another vendor, that secures user input. Perhaps this vulnerability would've been caught in the initial stages of development had the product been released open source, making case for one to seek out an open source solution, or at least a solution with a better proven track record. “Lpanel is always steps ahead of the rest.” -- Negative.


Vendor Contact:
Lpanel.NET's Lpanel
URL: http://www.lpanel.net/
Email: sales@lpanel.net (I was unable to find a more relevant email contact)
Mailing Address:
  Lpanel.NET
  PO Box 940876
  Miami, Florida 33194-0056
  United States
Phone: 614-441-4838


Disclosure Timeline:
Vendor Notified: June 6, 2005
Public Release: June 6, 2005


About the Author:
The author is in between life paths at the moment, but is currently a software engineer at a company to remain unnamed. When not at his computer, the author enjoys doing a great many things, most of which he has lost all time for, or lacks people to do those things with in his current lifestyle. As such he finds more time for work, or just visits Blockbuster, and when all else fails, fabricates reports such as this.

The author is posting this message anonymously in order to avoid potential legal consequences, although he is having trouble seeing any potential consequences as feasible, considering the vendor does not release a plain-text version of their license (the license is actually encoded, and when viewed, renders a PHP parse error).


Greets:
I'd like to say hi to the team with which I work; you're all great. I'd also like to say hello to swoolley and tautology.

--