cPanel 5/6/7/8/9 dir Parameter Cross-Site Scripting Vulnerability
2004-03-12T00:00:00
ID EDB-ID:23806 Type exploitdb Reporter Fable Modified 2004-03-12T00:00:00
Description
cPanel 5/6/7/8/9 dir Parameter Cross-Site Scripting Vulnerability. CVE-2004-2308. Webapps exploit for cgi platform
source: http://www.securityfocus.com/bid/9853/info
It has been reported that cPanel may be prone to a cross-site scripting vulnerability that may allow a remote attacker to execute HTML or script code in a user's browser. The issue presents itself due to insufficient sanitization of user-supplied data via the 'dir' parameter of 'dohtaccess.html' page. The victim may require to be authenticated with valid credentials to be exposed to exploitation.
Due to the possibility of attacker-specified HTML and script code being rendered in a victim's browser, it is possible to steal cookie-based authentication credentials from that user. Other attacks are possible as well.
http://www.example.com:2082/frontend/x/htaccess/dohtaccess.html?dir=><script>alert(0x29A Crew)</script>
{"id": "EDB-ID:23806", "type": "exploitdb", "bulletinFamily": "exploit", "title": "cPanel 5/6/7/8/9 dir Parameter Cross-Site Scripting Vulnerability", "description": "cPanel 5/6/7/8/9 dir Parameter Cross-Site Scripting Vulnerability. CVE-2004-2308. Webapps exploit for cgi platform", "published": "2004-03-12T00:00:00", "modified": "2004-03-12T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/23806/", "reporter": "Fable", "references": [], "cvelist": ["CVE-2004-2308"], "lastseen": "2016-02-02T21:51:22", "viewCount": 9, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2016-02-02T21:51:22", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-2308"]}, {"type": "osvdb", "idList": ["OSVDB:4219"]}, {"type": "nessus", "idList": ["CPANEL_LOGIN_CMD_EXEC.NASL"]}], "modified": "2016-02-02T21:51:22", "rev": 2}, "vulnersScore": 4.5}, "sourceHref": "https://www.exploit-db.com/download/23806/", "sourceData": "source: http://www.securityfocus.com/bid/9853/info\r\n\r\nIt has been reported that cPanel may be prone to a cross-site scripting vulnerability that may allow a remote attacker to execute HTML or script code in a user's browser. The issue presents itself due to insufficient sanitization of user-supplied data via the 'dir' parameter of 'dohtaccess.html' page. The victim may require to be authenticated with valid credentials to be exposed to exploitation.\r\n\r\nDue to the possibility of attacker-specified HTML and script code being rendered in a victim's browser, it is possible to steal cookie-based authentication credentials from that user. Other attacks are possible as well.\r\n\r\nhttp://www.example.com:2082/frontend/x/htaccess/dohtaccess.html?dir=><script>alert(0x29A Crew)</script>", "osvdbidlist": ["4219"]}
{"cve": [{"lastseen": "2020-10-03T11:33:41", "description": "Cross-site scripting (XSS) vulnerability in cPanel 9.1.0 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the dir parameter in dohtaccess.html.", "edition": 3, "cvss3": {}, "published": "2004-12-31T05:00:00", "title": "CVE-2004-2308", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2308"], "modified": "2017-07-11T01:31:00", "cpe": ["cpe:/a:cpanel:cpanel:7.0", "cpe:/a:cpanel:cpanel:6.0", "cpe:/a:cpanel:cpanel:9.0", "cpe:/a:cpanel:cpanel:9.1", "cpe:/a:cpanel:cpanel:6.4.2_stable_48", "cpe:/a:cpanel:cpanel:6.2", "cpe:/a:cpanel:cpanel:6.4.1", "cpe:/a:cpanel:cpanel:6.4.2", "cpe:/a:cpanel:cpanel:6.4", "cpe:/a:cpanel:cpanel:5.0", "cpe:/a:cpanel:cpanel:8.0", "cpe:/a:cpanel:cpanel:5.3"], "id": "CVE-2004-2308", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2308", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:cpanel:cpanel:6.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:6.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:5.3:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:6.4:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:6.4.2_stable_48:*:*:*:*:*:*:*", "cpe:2.3:a:cpanel:cpanel:9.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:58", "bulletinFamily": "software", "cvelist": ["CVE-2004-2308"], "edition": 1, "description": "## Vulnerability Description\ncPanel contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"dir\" variable upon submission to the \"dohtaccess.html\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\ncPanel contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"dir\" variable upon submission to the \"dohtaccess.html\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]:2082/frontend/x/htaccess/dohtaccess.html?dir=><script>alert(vulnerable)</script>\n## References:\nVendor URL: http://www.cpanel.net/\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-03/0119.html\nISS X-Force ID: 15485\n[CVE-2004-2308](https://vulners.com/cve/CVE-2004-2308)\nBugtraq ID: 9853\n", "modified": "2004-03-11T00:00:00", "published": "2004-03-11T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:4219", "id": "OSVDB:4219", "type": "osvdb", "title": "cPanel dohtaccess.html dir Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-20T09:38:17", "description": "The version of cPanel installed on the remote host is version\n9.1.0 (or earlier) and thus reportedly affected by multiple\nissues:\n\n - The dohtaccess.html script fails to sanitize input supplied\n by a user and is affected by a cross-site scripting \n vulnerability. (CVE-2004-2308)\n\n - Both the Login Page and resetpass functionality fail to \n sanitize user input and can be manipulated to execute\n arbitrary commands (CVE-2004-1769 & CVE-2004-1770). For \n example, the following URL demonstrates the id command \n being executed:\n\n http://www.example.com:2082/login/?user=|\"`id`\"|", "edition": 24, "published": "2004-03-14T00:00:00", "title": "cPanel <= 9.1.0 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-2308", "CVE-2004-1769", "CVE-2004-1770"], "modified": "2004-03-14T00:00:00", "cpe": [], "id": "CPANEL_LOGIN_CMD_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/12097", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n# \n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(12097);\n script_version(\"1.23\");\n script_cve_id(\"CVE-2004-1769\", \"CVE-2004-1770\", \"CVE-2004-2308\");\n script_bugtraq_id(9848, 9853, 9855);\n\n script_name(english:\"cPanel <= 9.1.0 Multiple Vulnerabilities\");\n script_summary(english:\"Tries to execute a command\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an application that is affected by \nmultiple issues.\" );\n script_set_attribute(attribute:\"description\", value:\n'The version of cPanel installed on the remote host is version\n9.1.0 (or earlier) and thus reportedly affected by multiple\nissues:\n\n - The dohtaccess.html script fails to sanitize input supplied\n by a user and is affected by a cross-site scripting \n vulnerability. (CVE-2004-2308)\n\n - Both the Login Page and resetpass functionality fail to \n sanitize user input and can be manipulated to execute\n arbitrary commands (CVE-2004-1769 & CVE-2004-1770). For \n example, the following URL demonstrates the id command \n being executed:\n\n http://www.example.com:2082/login/?user=|\"`id`\"|' );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the newest version of cPanel or disable this service\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:W/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/03/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/03/11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 2082);\n exit(0);\n}\n\n# Check starts here\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nhttp_check_remote_code (\n\t\t\tdefault_port:2082,\n\t\t\tunique_dir:\"/login\",\n\t\t\tcheck_request:'/?user=|\"`id`\"|',\n\t\t\tcheck_result:\"uid=[0-9]+.*gid=[0-9]+.*\",\n\t\t\tcommand:\"id\"\n\t\t\t);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}