fully featured popular web based hosting account control panel that helps webmasters to manage their domains through a web browser. The latest version of cPanel & WHM is 11.34, which is vulnerable to multiple cross site scripting.
During my bug hunting process, today I (Christy Philip Mathew) discovered some serious XSS vulnerabilities in official cPanel, WHM. It also impact on the latest version of software.
This week, Rafay Baloch (Pakistani white hat hacker) also discovered another reflective cross site scripting vulnerability in cPanel at manage.html.
The interesting part would be the whole demonstration I done with the Official cPanel Demo located at https://cpanel.net/demo/ location, can be accessed via demo user & password provided by cPanel website itself i.e. https://demo.cpanel.net:2086/login/?user=demo&pass=demo
These vulnerabilities actually affect the logged in users. Proof of Concept and screenshots are as shown below:
Cross Site scripting in Official WHM
- Login to WHM via : https://demo.cpanel.net:2086/login/?user=demo&pass=demo
- In left panel, click 'Server Configuration' and then 'Basic cPanel & WHM Setup' and new page will ask user to fill 4 Nameservers values regarding domain.
Cross Site scripting in Official cPanel
- Access the Official Cpanel Demo at https://x3demob.cpx3demo.com:2082/login/?user=x3demob&pass=x3demob
Cross Site scripting in WebMail server
- Similar way, access demo Webmail via URL : https://x3demob.cpx3demo.com:2082/xferwebmail/
- Once logged in XSS Vulnerable URL is : Click Here
- Here on page clientconf.html , the parameter "acct" is not filtered properly , as shown
- Product: Cpanel & WHM
- Security-Risk: High
- Remote-Exploit: yes
- Vendor-URL: https://www.cpanel.net
- Affected Products: Cpanel's Latest Version
- Solution: Proper input sanitisation.
- Discovered by: Christy Philip Mathew, Security researcher @ The Hacker News