2023-04-28 02:39:01
The software known as cPanel is widely used online as a control panel for web hosting. At the time this article was written, there were exactly 1.4 million cPanel installations exposed on the public Internet.
The researchers found a vulnerability known as mirrored cross-site scripting, which could be exploited without the need for authentication. Furthermore, the XSS vulnerability could be exploited even if cPanel’s management ports (2080, 2082, 2083, and 2086) were not open to the outside world. This was the case regardless of whether they were exposed or not. This means that if your website is hosted on cPanel and runs on ports 80 and 443, it was also susceptible to the cross-site scripting vulnerability.
An invalid web caller ID that can contain XSS content is the core of CVE-2023-29489, the vulnerability it causes. When this content is displayed in the cpsrvd error page, it is not properly escaped, allowing the XSS attack.
The repercussions of being susceptible to these dangers are quite concerning. Using cPanel with its default settings allows malicious actors to perform arbitrary JavaScript pre-authentication on almost any port on a web server. This is due to proxy rules that allow access to the /cpanelwebcall/ directory even on ports 80 and 443, which were previously inaccessible.
The effect of this vulnerability is that they can execute arbitrary JavaScript, including scripts that require pre-authentication, on virtually all ports of a web server using cPanel with its default settings.
Proxy restrictions are to blame for this situation. Even though Apache is proxying the cPanel management ports on ports 80 and 443, they were still able to access the /cpanelwebcall/ directory.
Because of this, an adversary can launch attacks not only against cPanel’s administrative ports, but also against applications operating on ports 80 and 443.
An adversary can use this cross-site scripting attack to hijack a legitimate user’s cPanel session if the cPanel management ports were exposed to the attack in the first place.
After successfully authenticating as a cPanel user, it’s often quite simple to load a web shell to gain command-execution privileges for yourself.
proof of concept
In order to demonstrate the vulnerability, the researchers provided the following proof-of-concept URLs:
- http://example.com/cpanelwebcall/
- http://example.com:2082/cpanelwebcall/
- http://example.com:2086/cpanelwebcall/
- http://example.com:2082/cpanelwebcall/
Don’t worry if you think this vulnerability may be affecting your website. Because most cPanel installations on the Internet have the automatic updating capability turned on, you may no longer be at risk of being exploited, even if you don’t apply a patch. Updating to any of the following cPanel versions or higher will remove the risk associated with this vulnerability:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad
#dont #super #hacker #hack #millions #websites #CPanel #flaw #easy