AOH :: Web :: Adminware, Control Panels

AOH :: Web :: Adminware, Control Panels :: BX3119.HTM
Cpanel 11 - XSS and CSRF vulns

XSS and CSRF vulnerability on Cpanel 11 XSS and CSRF vulnerability on Cpanel 11


1. DESCRIPTION OF THE SOFTWARE

cPanel is a hosting automation tool.
WHM interface provides access to the heart of the cPanel and WHM package
and allows a Server Administrator to simply configure a few options and
be on their way to hosting web sites.

2. DESCRIPTION OF THE VULNERABILITY

There are XSS (identified by CVE-2008-2070) and CSRF (identified by
CVE-2008-2071) vulnerabilities on cPanel software.

On WHM there is a simple pattern for XSS defense, but this function
is not well implemented so it's possible to bypass it using a simple
cheat. This is a simple proof of concept:

>><<<<<<<<<<<



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2009 AOH

We do not send spam.  If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.