EHCP Easy Hosting Control Panel Multiple Vulnerabilities - Clear Text MySQL Root Password Insufficiently Protected Sensitive Data Authentication Bypass Unauthenticated Arbitrary File Upload Software Links: https://launchpad.net/ehcp http://www.ehcp.net https://sourceforge.net/p/ehcp/wiki/ -------------------------------------------------------------------------------------------- Description: “ehcp is a hosting control panel, for multiple domains on single machine. easily installable,easy usage, non-complex,functional. homepage:http://www.ehcp.net * automatically installs and works: dns, apache, mysql, ftp, email, domains and auto updates” -------------------------------------------------------------------------------------------- CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials CWE-200: Information Exposure CWE-592: Authentication Bypass Issues Access : Remote (All Vulnerabilities) Complexity : Low (All Vulnerabilities) Currently, many resellers are using this software to manage multiple customer domains, which in many cases also exposes ssh and mysql ports to the outside world. All known versions between 0.29 and 0.37.9 are affected. Earlier versions may be impacted as well. ver 0.37.9 ver 0.30.6 ver.0.29.15 ver 0.29.13 -------------------------------------------------------------------------------------------- #1 Plaintext Storage of a Password By browsing directly to http:///ehcp/ehcpbackup.php sensitive information regarding the web server, local OS and SQL DB are exposed without authentication. This almost always includes the MySQL root password in clear text via the exposure of a mysqldump action. These credentials can be used to log directly into PHPMYADMIN. The ehcpbackup.php file also exposes the dir listing of the ehcp directory itself, local file paths, all databases and domains associated with that EHCP build as well as domain useranmes. As with almost every file in the EHCP software suite, the permissions are set to -rw-r--r-- http:///ehcp/ehcpbackup.php Access : Remote Complexity : Low Impact : Complete CWE-256: Plaintext Storage of a Password CWE-200: Information Exposure CWE-592: Authentication Bypass Issues -------------------------------------------------------------------------------------------- #2 Unauthenticated File upload Unauthenticated file upload By browsing to any of the following four URLs, a remote attacker can upload any file which then is stored in a phptmpdir directory. It does not appear to validate either the user uploading nor the file type. http:///ehcp/test/up2.php http:///ehcp/test/upload2.php http:///ehcp/test/upload.php http:///ehcp/test/up.php Access : Remote Complexity : Low CWE-592: Authentication Bypass Issues CWE-434: Unrestricted Upload of File -------------------------------------------------------------------------------------------- #3 Information Disclosure The following URL pathways can be remotely browsed to without authentication. They all give various amounts of information disclosure which exposes almost all of the underworking directory and functions of the Hosting software, SQL tables and database queries. http:///ehcp/ehcp_postfix.sh http:///phpsysinfo http:///ehcp/apache_default.conf http:///ehcp/apachehcp_auth.conf http:///ehcp/apachehcp.conf http:///ehcp/apachehcp_passivedomains.conf http:///ehcp/apachehcp_subdomains.conf http:///ehcp/apache_subdomain_template http:///ehcp/apache_subdomain_template_ipbased http:///ehcp/apachetemplate http:///ehcp/apachetemplate_ipbased http:///ehcp/apachetemplate_passivedomains http:///ehcp/ehcp-apt-get-install.log http:///ehcp/ehcpbackup.php http:///ehcp/ehcpdaemon2.sh http:///ehcp/install_log.txt http:///ehcp/install.sh http:///ehcp/LocalServer.cnf http:///ehcp/ehcp_daemon.py http:///ehcp/ehcpdaemon.sh http:///ehcp/ehcp_fix_apache.php http:///ehcp/ehcpinfo.html http:///ehcp/ehcp_postfix2.sh http:///ehcp/ehcp_postfix.sh http:///ehcp/ehcp.sql http:///ehcp/ehcp_upgrade.sh http:///ehcp/ehcpupgrade.sql http:///ehcp/checkapacheconfig.sh http:///ehcp/checkapache.sh http:///ehcp/etc/apache2/apache_subdomain_template http:///ehcp/etc/apache2/apache_subdomain_template_ipbased http:///ehcp/etc/apache2/apachetemplate http:///ehcp/etc/apache2/apachetemplate_ipbased http:///ehcp/etc/apache2/apachetemplate_passivedomains http:///ehcp/etc/apache2/default http:///ehcp/etc/apache2/ports.conf http:///ehcp/etc/apache2_ssl/apache_subdomain_template http:///ehcp/etc/apache2_ssl/apachetemplate http:///ehcp/etc/apache2_ssl/apachetemplate_ipbased http:///ehcp/etc/apache2_ssl/apachetemplate_passivedomains http:///ehcp/etc/apache2_ssl/default http:///ehcp/etc/apache2_ssl/default-ssl http:///ehcp/etc/apache2_ssl/ports.conf http:///ehcp/etc/logrotate.d/ehcp http:///ehcp/named_ehcp.conf http:///ehcp/phpadmin.php http:///ehcp/phpmyadmin.conf http:///ehcp/pop-before-smtp.conf http:///ehcp/resetmysqlrootpass.sh http:///ehcp/scriptsupdate.sql http:///ehcp/scriptsupdate.sql.html http:///ehcp/setup.sh http:///ehcp/smtpd.cert http:///ehcp/smtpd.key http:///ehcp/ssh2.sh http:///ehcp/stats.php http:///ehcp/misc/importexport.php http:///ehcp/misc/mysqltroubleshooter.php http:///ehcp/misc/redirect_index.html http:///ehcp/misc/serverstatus.sh Access : Remote Complexity : Low CWE-256: Plaintext Storage of a Password CWE-200: Information Exposure CWE-592: Authentication Bypass Issues -------------------------------------------------------------------------------------------- Timeline: In late February the Vendor was contacted via email, which was followed up with a full bug report at https://launchpad.net/ehcp. While the vendor did reply to acknowledge the bugs, no timeframe nor any other information was given for when a fix would be complete. Vendor did not respond to any further followup correspondence. There is no known work around at this time other than disabling EHCP suite completely, and switching to a more secure solution until these issues can be patched. While the gui interface mechanisms does an OK job locking down the masked url front end web calls it makes, the entire backend files which are being called, can be directly accessed, bypassing the need to use the GUI interface. Research Contact: Kyle Lovett March 29, 2016