TUCoPS :: Web :: Adminware, Control Panels

TUCoPS :: Web :: Adminware, Control Panels :: bx3119.htm
Cpanel 11 - XSS and CSRF vulns

XSS and CSRF vulnerability on Cpanel 11 XSS and CSRF vulnerability on Cpanel 11


1. DESCRIPTION OF THE SOFTWARE

cPanel is a hosting automation tool.
WHM interface provides access to the heart of the cPanel and WHM package
and allows a Server Administrator to simply configure a few options and
be on their way to hosting web sites.

2. DESCRIPTION OF THE VULNERABILITY

There are XSS (identified by CVE-2008-2070) and CSRF (identified by
CVE-2008-2071) vulnerabilities on cPanel software.

On WHM there is a simple pattern for XSS defense, but this function
is not well implemented so it's possible to bypass it using a simple
cheat. This is a simple proof of concept:

>><<<<<<<<<<<