[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CentOS Web Panel v0.9.8.12 - Remote SQL Injection Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2018-01-22 9:51:34
Message-ID: b794062e-f922-c4bd-0217-5f7682f8cc70 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
CentOS Web Panel v0.9.8.12 - Remote SQL Injection Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1833
Release Date:
=============
2018-01-22
Vulnerability Laboratory ID (VL-ID):
====================================
1833
Common Vulnerability Scoring System:
====================================
7.5
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
4.000€ - 5.000€
Product & Service Introduction:
===============================
CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of \
(Dedicated & VPS) servers without of need to use ssh console for every little thing. There is \
lot's of options and features for server management in this control panel. CWP automatically \
installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…).
(Copy of the Homepage: http://centos-webpanel.com/features )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote sql-injection web \
vulnerability in the CentOS Web Panel v0.9.8.12.
Vulnerability Disclosure Timeline:
==================================
2018-01-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
CWP
Product: CentOS Web Panel - (CWP) 0.9.8.12
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote sql-injection web vulnerability has been discovered in the official CentOS Web Panel \
v0.9.8.12 web-application. The vulnerability allows remote attackers to inject own malicious \
sql commands to compromise the connected web-server or dbms.
The sql-injection vulnerability is located in the `row_id` and `domain` value of the `Add a \
domain` module POST method request. Remote attackers are able to manipulate the POST method \
request to execute own malicious sql commands on the application-side of the web-application. \
The request method to inject is POST and the attack vector is application-side. The \
vulnerability can be exploited by restricted user accounts against the web-application \
administrator.
The security risk of the sql-injection vulnerability is estimated as high with a cvss (common \
vulnerability scoring system) count of 7.5. Exploitation of the remote sql injection \
vulnerability requires no user interaction and only a low privileged web-application user \
account. Successful exploitation of the remote sql injection results in database management \
system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Add a domain
Vulnerable Parameter(s):
[+] row_id
[+] domain
Affected Module(s):
[+] Delete domain
Proof of Concept (PoC):
=======================
The remote sql-injecton vulnerability can be exploited by remote attackers with low privilege \
user account and without user interaction. For security demonstration or to reproduce the \
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Add a domain
2. Delete the same domain
3. Intercept the http request with a session tamper
4. Manipulate in the POST method request the values `row_id` or `domain` with '
5. Continue the request and an exploitable sql-exception becomes visible
6. Now the attacker can inject to the row_id and domain to execute malicious sql commands via \
restricted user account 7. Successful reproduce of the sql-injection vulnerability!
--- SQL Error Exceptions ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server \
version for the right syntax to use near 'test-domain'' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in
/usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d \
code on line 5
--- PoC Session logs [POST] ---
Status: 200[OK]
POST http://cwp.localhost:2030/index.php?module=list_domains
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime \
Type[text/html] Request Header:
Host[185.4.149.65:2030]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://cwp.localhost:2030/index.php?module=list_domains]
Cookie[cwpsrv-b66ec0f9742b8f4bd3407e0151cd756c=ae0c56ru1ver0k3d0cd1hh4147]
Connection[keep-alive]
POST-Daten:
ifpost[yes]
username[test-dom]
domain[SQL-INJECTION PAYLOAD!]
row_id[SQL-INJECTION PAYLOAD!]
Response Header:
Date[Mon, 25 Apr 2016 12:32:33 GMT]
Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27]
X-Powered-By[PHP/5.4.27]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
Reference(s):
http://cwp.localhost:2030/
http://cwp.localhost:2030/index.php
http://cwp.localhost:2030/index.php?module=list_domains
Security Risk:
==============
The security risk of the remote sql-injection web vulnerability in the centos web panel \
application is estimated as high. (CVSS 7.5)
Credits & Authors:
==================
Vulnerability-Lab [admin@vulnerability-lab.com] - \
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \
edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic