cPanel Domain Access Control Flaw May Let Remote Users Access Other Domains in Certain Cases
|
|
SecurityTracker Alert ID: 1014633 |
|
SecurityTracker URL: http://securitytracker.com/id/1014633
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 9 2005
|
Impact:
Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 10.4.0-EDGE 254
|
Description:
Majid NT reported a vulnerability in cPanel. A remote authenticated user may be able to gain access to other accounts on the system in a certain situation.
A remote authenticated administrator can create a new user account. If the account is created with a password that is the same as the administrator's password (reseller password), then the new user will be able to access other domains on the system, even after changing their own password.
If a remote authenticated user changes their password to be the same as the administrator's password (either on purpose or by chance), the user will gain access to other domains on the system.
A demonstration exploit is illustrated in a Shockwave movie file, available at:
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=41
|
Impact:
A remote authenticated user may be able to gain access to other domains on the system in certain, specific cases.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.cpanel.net/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 8 Aug 2005 19:45:25 -0700 (PDT)
Subject: IHS RELEASE : cpanel password managing problem
|
********************************************
IHS Iran Hackers Sabotage Public advisory
author : NT NT@ihsteam.com
********************************************
General info :
vuln application : Cpanel Build 10.4.0-EDGE 254
vender : www.cpanel.net
risk : Medium
access : to all the domains hosted
original advisory : http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=40
Details :
scenario :
you are admin of a big hosting company , one of your customers wanted 10 mb hosting ,
ok ah you are at home but how the hell he got the phone number anyway !
you login to your cpanel as reseller you creat his account , creat the plan
you USE your reseller passwd for him after the job is finished you change the
password to urgonnohackme ! tomorrow you go to work , happy morning it is .
but when you here that your 10000 customer sites had been defaced it completely changes
to a terrific morning .
also if a normal cpanel user change the pass to root by chance he wont know but
when he change his passwd again he see all the domains listed for him !!!
a sample movie created about how the vuln could be used :
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=41
timeline :
vender not contacted because of the great care venders give us !
08 august 2005 : public disclosure
greeting :
LorD and c0d3r of IHS
www.ihsteam.com ( persian site )
www.ihssecurity.com ( english site )
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
|
|
