The Hacker News
cPanel is a Unix based fully featured popular web based hosting account control panel that helps webmasters to manage their domains through a web browser. The latest version of cPanel & WHM is 11.34, which is vulnerable to multiple cross site scripting.

During my bug hunting process, today I (Christy Philip Mathew) discovered some serious XSS vulnerabilities in official cPanel, WHM. It also impact on the latest version of software.

This week, Rafay Baloch (Pakistani white hat hacker) also discovered another reflective cross site scripting vulnerability in cPanel at manage.html.

The interesting part would be the whole demonstration I done with the Official cPanel Demo located at https://cpanel.net/demo/ location, can be accessed via demo user & password provided by cPanel website itself i.e. https://demo.cpanel.net:2086/login/?user=demo&pass=demo
Cybersecurity

These vulnerabilities actually affect the logged in users. Proof of Concept and screenshots are as shown below:

Cross Site scripting in Official WHM
  1. Login to WHM via : https://demo.cpanel.net:2086/login/?user=demo&pass=demo
  2. In left panel, click 'Server Configuration' and then 'Basic cPanel & WHM Setup' and new page will ask user to fill 4 Nameservers values regarding domain.
  3. Enter alert JavaScript in any of these four text boxes, as shown below and Submit
The Hacker News




Cross Site scripting in Official cPanel
  1. Access the Official Cpanel Demo at https://x3demob.cpx3demo.com:2082/login/?user=x3demob&pass=x3demob
  2. Once logged in , access Bandwidth Transfer Detail (detailbw.html), and inject JavaScript in parameter "domain" or one can access this URL.
The Hacker News



Cross Site scripting in WebMail server
  1. Similar way, access demo Webmail via URL : https://x3demob.cpx3demo.com:2082/xferwebmail/
  2. Once logged in XSS Vulnerable URL is : Click Here
  3. Here on page clientconf.html , the parameter "acct" is not filtered properly , as shown
The Hacker News



More Details

  • Product: Cpanel & WHM
  • Security-Risk: High
  • Remote-Exploit: yes
  • Vendor-URL: https://www.cpanel.net
  • Affected Products: Cpanel's Latest Version
  • Solution: Proper input sanitisation.
  • Discovered by: Christy Philip Mathew, Security researcher @ The Hacker News
Photo of Mohit Kumar Hacker News - Founder and Editor-in-Chief of 'The Hacker News'. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. ()


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.