whm

Async CLI scanner for CVE-2026-41940 (cPanel header injection). The scanner runs in three phases:

1. Network survival filter (HEAD requests)
2. Malformed request injection (Authorization header payloads)
3. Logic-oracle analysis with CSV output

Requirements

• Python 3.8+
• Dependencies: httpx, colorama

Install dependencies:

python -m pip install httpx colorama

Usage

python scanner.py -l targets.txt -p 2082,2083,2087 -w 50 -o scan_results.csv
python scanner.py -l targets.txt --port-profile whm --flow auth-bypass
python scanner.py -l targets.txt -p 2083 -t 5 --variant all
python scanner.py -l targets.txt -p 2083 --flow auth-bypass --verify-mode strict
python scanner.py -l targets.txt -p 2083 --flow all --aggressive
python scanner.py -l targets.txt -p 2082 --no-ssl-verify --retries 2 --retry-backoff 0.5
python scanner.py -l targets.txt -p 2082 --alive-method get
python scanner.py -l targets.txt -p 2082 --raw-payloads --payloads-file legacy_payloads.txt
python scanner.py -l targets.txt -p 2087 --flow auth-bypass --auth-payloads-file auth_payloads.txt

Targets file format

One entry per line:

• Hostname only: example.com
• Hostname with port: example.com:2083
• Full URL: https://example.com:2083

Comments start with # and blank lines are ignored. URL targets must not include a path or query string.

Output format

The output is a CSV file (default scan_results.csv) with one row per payload:

• target
• status
• status_code
• payload_type
• timestamp
• evidence
• response_preview
• flow
• phase
• canonical_host

Detection notes

• Survival checks default to head-get, which tries a HEAD request first and falls back to GET for hosts that drop or block HEAD.
• CRLF payloads are delivered via a raw socket request to avoid HTTP client header sanitization. Use --raw-payloads to force raw requests for all payload variants.
• Network errors are categorized (DNS/TLS/refused/timeout) to help diagnose unreachable targets.
• The auth-bypass flow (--flow auth-bypass) follows the observed chain: /login/?login_only=1 to mint a session, Authorization: Basic injection to leak a cpsess token, propagation via /scripts2/listaccts, then verification via /json-api/version or /json-api/listaccts.
• Use --verify-mode strict to require a successful result=1 signal in the API response. --aggressive enables extra propagation targets and fallback verification.
• Auth-bypass results may show TOKEN_LEAKED, TOKEN_NOT_FOUND, PREAUTH_FAILED, AUTH_REDIRECT, or WAF_BLOCKED to indicate how far the chain progressed.
• Canonical host discovery uses /openid_connect/cpanelid to align Host headers with WHM redirects; disable with --no-host-discovery when not needed.
• Custom payload files accept one payload per line; use name|payload to label entries in output evidence. Auth payload entries can be raw base64 or full Basic <base64> values.
• Use --port-profile to default to WHM, cPanel, or mixed port sets when --ports is omitted. --protocol-preference controls HTTPS/HTTP ordering for scheme-less targets.

CVE-2026-41940 research summary

• Affected cPanel/WHM versions are reported as prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5.
• GitHub PoCs (watchTowr, cPanelSniper, multiple Python/Go ports) consistently use /openid_connect/cpanelid to discover the canonical hostname and then spoof the Host header for the auth-bypass chain.
• Observed auth-bypass flow: POST /login/?login_only=1 (401 + whostmgrrelogin cookie), GET / with Authorization: Basic <base64> to leak /cpsess via 307 Location, GET /scripts2/listaccts to trigger do_token_denied, then verification via /json-api/version or /json-api/listaccts?api.version=1.
• Payload variants appear in PoCs and Nuclei templates: a base64 CRLF payload with cp_security_token fields and a watchTowr payload without the token marker.
• Verification success signals include "data":{"version":...}, "command":"version", "reason":"OK", "result":1, or license-gated 500/503 responses indicating authenticated access.

Running tests

python -m unittest discover -s tests