Type packetstorm
Reporter _6mO_HaCk
Modified 2006-02-04T00:00:00


                                            `Title: cPanel Multiple Cross Site Scripting  
Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>  
Discovered: 22 january 2005  
Published: 02 february 2006  
MorX Security Research Team  
Service: Web Hosting Manager  
Vendor: cPanel  
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks  
Severity: Medium/High  
cPanel (control panel) is a graphical web-based management tool, designed  
to make administration of web sites as easy as possible. cPanel handles  
all aspects of website administration in an easy-to-use interface.  
The software, which is proprietary, runs on a number of popular RPM-based  
Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat  
Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly  
accessed on ports 2082 and 2083 (for a SSL version). Authentication is  
either via HTTP or web page login. cPanel is prone to cross-site scripting  
attacks. This problem is due to a failure in the application to properly  
sanitize user-supplied input  
an attacker can exploit the vulnerable scripts to have arbitrary script  
code executed in the browser of an authentified cPanel user in the context  
of the website hosting the vulnerable cPanel version. resulting in the  
theft of cookie-based authentication giving the attacker full access to  
the victim's cPanel account as well as other type of attacks.  
Affected scripts with proof of concept exploit:<script>alert('vul')</script>&domain=<script>alert('vul')</script>&domain=xxx"><script>alert('vul')</script>"><script>alert('vul')</script>"><script>alert('vul')</script>&target=xxx"><script>alert('vul')</script>&domain=xxx&target=xxx"><script>alert('vul')</script>&year=2006&domain=xxx&target=xxx  
this entire document is for eductional, testing and demonstrating purpose  
only. Modification use and/or publishing this information is entirely on  
your OWN risk. The information provided in this advisory is to be  
used/tested on your OWN machine/Account. I cannot be held responsible for  
any of the above.