TUCoPS :: Web :: Adminware, Control Panels :: b06-4328.htm

cPanel 10 multiple XSS
Multiple xxs cPanel 10
Multiple xxs cPanel 10



#####################################################  =0D
##  =0D
##        << Multiple cross site script >>   =0D
##  =0D
##              C P A N E L   1 0  =0D
##  =0D
##       Preth00nker [at] gmail [dot] com=0D
##                BY PRETH00NKER  =0D
## http://mexhackteam.org =0D 
##  =0D
##           special dedication for my friends of:  =0D
## <> =0D 
##  =0D
##  =0D
######################################################  =0D
  =0D
   [ introduction ]  =0D
  =0D
Preth00nker was discovering some news vulnerabilities in cpanel 10.  =0D
Cite: cPanel allows domain owners to manage and monitor their web site.   =0D
This easy to use interface is packed full of useful features. Inside   =0D
cPanel, domain owners can control their web site to a degree which was   =0D
never before possible. cPanel gives domain owners a flexibility beyond   =0D
that of the competition.  =0D
Refer:http://www.cpanel.net/products/cPanelandWHM/linux/cpanelov.htm =0D 
  =0D
  =0D
   [ Explanations: ]   =0D
  =0D
Exploit #1: http://[Target:port]/frontend/x/htaccess/dohtaccess.html?dir=>[Your Code here] =0D 
Condition's labels: just a ! > ! next the script.  =0D
In first case we can see that an error happen in the $dir variable   =0D
inside 'dohtaccess.html' file; When the applications can't find the   =0D
folder that you request the script   =0D
print next code in the checkbox  =0D
  =0D
//------------ Start -------------------  =0D
[Your">http://[Target:port]/frontend/x/files/editit.html?dir=/&file=">[Your Code here] =0D 
Condition's labels: just a ! "> ! next the script.  =0D
every time the script is printing something like this  =0D
  =0D
//------------ Start -------------------  =0D
Save file as:   =0D
\\------------- EOF --------------------  =0D
  =0D
in this case, too we can see that the $file variable inside   =0D
'editit.html' file is not filtrated of a secure way, just is  =0D
necessary that close the textarea for that an attacker can insert   =0D
a script into the page.  =0D
  =0D
  =0D
  =0D
Exploit #3: http://[Target:port]/frontend/x/files/showfile.html?dir=/&file=[Your Code here] =0D 
Condition's labels: without !