Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Web hosting platform cPanel & WHM is vulnerable to authenticated RCE

Security researchers have achieved remote code execution (RCE) on web hosting platform cPanel & WHM after bypassing CSRF protections and escalating privileges via a stored cross-site scripting (XSS) vulnerability.

cPanel & WHM is a suite of Linux tools that enable the automation of web hosting tasks via a graphical user interface (GUI). cPanel is used in the hosting of more than 168,000 websites, according to Datanyze.

During a black-box pen test, RCE was also demonstrated via a “more convoluted” cross-site WebSocket hijacking attack that was possible because of the CSRF flaw and because WebSockets failed to check their requests’ Origin header, according to a technical write-up published by Adrian Tiron, cloud AppSec consultant at UK infosec firm Fortbridge.

The Websocket hijacking attack was tested in Firefox, since Chrome has SameSite cookies enabled by default.

‘Super Privileges’ required

The web hosting firm has not fixed these flaws – it only patched a separate, XXE vulnerability reported by Fortbridge – because attackers must be authenticated with a reseller account with permission to edit locales, which is not a default configuration.

“The Locale interface can only be used by root and Super Privilege resellers that root must grant this specific ACL to,” Cory McIntire, product owner on the cPanel security team, told The Daily Swig.

This is labelled a ‘Super Privilege’ with a warning icon in the server admins WHM interface and also flagged as such in the cPanel documentation, he added.

“When you expand this icon, it is explained to the server admin that they will be allowed to insert HTML into this interface, as many of our customers expect to be able to do.”

He added: “Again, this is an option root must enable for the reseller and should only be done so for users that are trusted as though you are giving them root to your server.”

‘Secure by default’

However, Tiron believes the XSS “could have been fixed while maintaining the intended functionality”.

He told The Daily Swig: “What they’re saying is correct, in a sense that this covered by the documentation, but just because it’s documented doesn’t make it secure. People don’t often read documentation and they’re not [usually] security experts either, so they won’t be able to make the right decision most of the time.

“We’ve seen this approach quite a lot recently, with other vendors we’ve worked with. The correct approach should be ‘secure by default’, not ‘it’s documented, it’s your responsibility now’.”

The researcher suggests the issue could have been completely mitigated “by applying some filtering/encoding on that vulnerable input”.

He added: “Even if they consider the ‘edit locale’ as a ‘super privilege’ this wasn’t clear to us during the pen test and it was definitely not clear to our customer either.”

cPanel’s McIntire said that to protect themselves the server admin would simply have to remove any Locale Super Privileges granted to ‘untrusted’ resellers.

Advertisement. Scroll to continue reading.

“We appreciate Fortbridge’s responsible disclosure to us and hope that these explanations will ease any worries our customers may have regarding this issue,” he continued.

“It is of upmost importance that you only give Super Privileges to people you would trust with root on your server.”

Tiron said cPanel was notified of the vulnerabilities during May and June of this year.

Source: https://portswigger.net/daily-swig/web-hosting-platform-cpanel-amp-whm-is-vulnerable-to-authenticated-rce

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO