cPanel – Security Tokens Evasion w/ Multiple Stored XSS (R911-0160)

Type: Security Tokens Evasion
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.43.0.12, 11.42.1.16 & 11.40.1.14
CVE: -
R911: 0160
Date: 2014-05-26
By: Rack911

Product Description

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description

It is possible for a malicious user to evade the default security token settings by performing a stored XSS attack in various functions along with a redirect to a secondary website to capture the referrer, and then redirect a second time back to the originating cPanel server to perform malicious commands.

Impact

We have deemed this vulnerability to be rated as HIGH due to the fact that malicious commands could be performed by the root user.

Vulnerable Version

This vulnerability was tested against cPanel prior to the fixed versions below.

Fixed Version

This vulnerability was patched in cPanel 11.43.0.12, 11.42.1.16 & 11.40.1.14.

Vendor Contact Timeline

2014-02-15: Vendor contacted via email.
2014-02-15: Vendor confirms vulnerability.
2014-05-19: Vendor issues updates to all builds.
2014-05-26: Rack911 issues security advisory.