The software known as cPanel is used extensively online as a control panel for web hosting. At the time this blog article was being written, there were precisely 1.4 million exposed cPanel installations on the public internet.
The researchers found a vulnerability known as reflected cross-site scripting, which could be exploited without the need for any authentication. Additionally, the XSS vulnerability could be exploited even if the cPanel management ports (2080, 2082, 2083, and 2086) were not open to the outside world. This was the case regardless of whether or not they were exposed. This means that if your website is hosted by cPanel and runs on ports 80 and 443, it was also susceptible to the cross-site scripting vulnerability.
An invalid webcall ID that may include XSS content is at the heart of CVE-2023-29489, the vulnerability that it causes. When this content is displayed on the error page for cpsrvd, it is not appropriately escaped, thus enabling the XSS attack.
The repercussions of being susceptible to these dangers are quite concerning. Using cPanel with its default configuration allows malicious actors to run arbitrary JavaScript pre-authentication on almost any port on a web server. This is as a result of the proxy rules that enable access to the /cpanelwebcall/ directory even on ports 80 and 443, which were previously inaccessible.
The effect of this vulnerability is that they are able to run arbitrary JavaScript, including scripts that need pre-authentication, on practically every port of a webserver that is using cPanel with its default configuration.
The proxy restrictions are to blame for this situation. Even though it is being proxied to the cPanel administration ports by Apache on ports 80 and 443, they were still able to access the /cpanelwebcall/ directory.
Because of this, an adversary may launch attacks not only against the administrative ports of cPanel but also against the apps that are operating on ports 80 and 443.
An adversary may employ this cross-site scripting attack to take over the cPanel session of a legitimate user if the cPanel administration ports were exposed to the assault in the first place.
After successfully authenticating as a user of cPanel, it is often quite simple to upload a web shell in order to get command execution privileges for oneself.
Proof of Concept
For the purpose of demonstrating the vulnerability, the researchers supplied the following proof of concept URLs:
- http://example.com/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa
- http://example.com:2082/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa
- http://example.com:2086/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa
- http://example.com:2082/cpanelwebcall/<img%20src=x%20onerror=”prompt(1)”>aaaaaaaaaaaa
Please don’t be concerned if you believe that this vulnerability may be affecting your website. Because the majority of cPanel installations on the internet have the auto-update capability activated, it’s possible that you are no longer at risk of being exploited even if you don’t apply a patch. Upgrading to any of the following versions of cPanel or above will eliminate the risk associated with this vulnerability:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services