[35207] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Major Cpanel Expliot HTML Injection

daemon@ATHENA.MIT.EDU (Virtual Nova Web Hosting services )
Wed Jun 9 16:07:33 2004

Date: 9 Jun 2004 04:04:51 -0000
Message-ID: <20040609040451.1913.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: "Virtual Nova Web Hosting services virtualnova.net" <verb0s@virtualnova.net>
To: bugtraq@securityfocus.com

Major Bug found 6/7/04

Discovered by Verb0s 

Reseller accounts with cpanel, in the password modification page, can insert a basic injection ex:http://(domain):2086/scripts/passwd?password=<>&domain=<>&user=<>

The code will modify all the mysql database passwords, in which the reseller shouldnb't have permissions. From there, someone could take over someones site that may be sql based, on the same server as them. 

How to fix the problem:

After my immediate contact with cpanel. they updated and fixed all permission problems : 6/8/04

Update your Cpanel ASAP


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[35207] in bugtraq

Major Cpanel Expliot HTML Injection

daemon@ATHENA.MIT.EDU (Virtual Nova Web Hosting services )Wed Jun 9 16:07:33 2004

daemon@ATHENA.MIT.EDU (Virtual Nova Web Hosting services )
Wed Jun 9 16:07:33 2004