[Full-Disclosure] cPanel hardlink backup issue

2004-10-18T00:00:00
ID SECURITYVULNS:DOC:7031
Type securityvulns
Reporter Securityvulns
Modified 2004-10-18T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Name: cPanel Vendor URL: http://www.cpanel.net Author: Karol Więsek <appelast@drumnbass.art.pl> Date: July 19, 2004

Issue: cPanel backup feature allows logged in users to read any file, including they have not permission to read to.

Description: cPanel is a next generation web hosting control panel system. cPanel is extremely feature rich as well as include an easy to use web based interface (GUI). cPanel is designed for the end users of your system and allows them to control everything from adding / removing email accounts to administering MySQL databases.

Details: cPanel backup system allows attacker to insert into archive and then download files, that he does not have permission to access. System backup follows hard links ( thus it is only possible on the same partition ) and copies it into tar.gz archive. Attacker could use php, cgi, crontab or shell access to link file in his public_html to for example /etc/shadow, and then execute backup ( Backup -> Generate/Download a Full Backup ).

Exploit: To exploit this vulnerability just link file you want to grab to some file in $HOME and execute backup.

Tested on cPanel 9.4.1-RELEASE-64, and confirmed vulnerable.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBc5H3FTSet8AbQUQRAmjVAJ98lmc1n3EyPNJcgIWWA/vOxw5iTACgn49P hu1+YqXtBgq6GUgakenO/RE= =0j8K -----END PGP SIGNATURE-----


Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html