Privacy and Legal Notice

CIAC INFORMATION BULLETIN

S-283: cPanel XSRF Vulnerabilities

[US-CERT Vulnerability Note VU#584089]

May 2, 2008 19:00 GMT
PROBLEM: cPanel contains multiple cross-site request forgery (XSRF) vulnerabilities which may allow an attacker to execute arbitrary commands.
PLATFORM: cPanel
DAMAGE: An attacker may be able to take actions that only authorized administrators should be able to execute.
SOLUTION: There is currently no practical solution. Please see the bulletin below to enable referrer checking.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. If successfully exploited, these vulnerabilities may allow an attacker to execute arbitrary commands.
CVSS 2 BASE SCORE:
   TEMPORAL SCORE:
   VECTOR:		 5.8
5.2
(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C)
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-283.shtml
  ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/584089 
[***** Start US-CERT Vulnerability Note VU#584089 *****]

Vulnerability Note VU#584089

cPanel XSRF vulnerabilities

Overview

cPanel contains multiple cross-site request forgery (XSRF) vulnerabilities. If successfully exploited, these vulnerabilities may allow an attacker to execute arbitrary commands.

I. Description

cPanel is a web-based tool that is designed to automate and control web sites and servers.

cPanel contains multiple cross-site request forgery (XSRF) vulnerabilities. These vulnerabilities may be triggered by a remote attacker who convinces an administrator to browse to a malicious web site while logged into their cPanel account.

II. Impact

An attacker may be able to take actions that only authorized administrators should be able to execute.

III. Solution

We are currently unaware of a practical solution to this problem.

Enable referrer checking

Referrer checking may mitigate some XSRF attacks. To enable referrer checking, follow the below steps. Note that referrer checking may cause some applications to fail.

  1. navigate to Server configuration
  2. go to Tweak Settings
  3. go to Security in WebHost Manager
  4. check the box and save the page

Do not browse to untrusted sites

Administrators can mitigate XSRF vulnerabilities in cPanel and other browser-based tools by not browsing to untrusted websites while logged into their account.

Systems Affected

Vendor Status Date Updated
cPanel Inc. Vulnerable 28-Apr-2008

References


http://www.rooksecurity.com/blog/?p=7
http://changelog.cpanel.net/
http://www.owasp.org/index.php/Cross-Site_Request_Forgery
http://en.wikipedia.org/wiki/XSRF

Credit

Thanks to Michael Brooks for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public 05/01/2008
Date First Published 04/30/2008 03:47:27 PM
Date Last Updated 05/01/2008
CERT Advisory  
CVE Name  
US-CERT Technical Alerts  
Metric 2.25
Document Revision 15 

[***** End US-CERT Vulnerability Note VU#584089 *****]
CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]