Lpanel viewreceipt.php Arbitrary Invoice Access

2005-06-06T08:53:15
ID OSVDB:17135
Type osvdb
Reporter Zackarin Smitz(zackerius12@linuxmail.org)
Modified 2005-06-06T08:53:15

Description

Vulnerability Description

Lpanel contains a flaw that may allow a remote denial of service. The issue is triggered when a logged in user modifies the DNS settings for another domain managed by Lpanel. It could result in loss of availability for the Domain.

Technical Description

By modifying the "editdomain" variable when accessing domains.php a logged in user can modify the settings of another domain managed by Lpanel.

Solution Description

Upgrade to version 1.597 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Lpanel contains a flaw that may allow a remote denial of service. The issue is triggered when a logged in user modifies the DNS settings for another domain managed by Lpanel. It could result in loss of availability for the Domain.

References:

Vendor URL: http://www.lpanel.net/ Vendor Specific News/Changelog Entry: http://www.lpanel.net/changelog.php Secunia Advisory ID:15589 Related OSVDB ID: 17132 Related OSVDB ID: 17134 Related OSVDB ID: 17136 Related OSVDB ID: 17133 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0030.html CVE-2005-1932