Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
@Alasn0t
Latest commit f1dddb4 Aug 20, 2019 History
1 contributor

Users who have contributed to this file

Information

Product             : CWP Control Web Panel
Vulnerability Name  : Cross Site Scripting
version             : 0.9.8.837
Fixed on            : 0.9.8.851
Test on             : CentOS 7.6.1810 (Core)
Reference           : http://centos-webpanel.com/
                    : https://control-webpanel.com/changelog
CVE-Number          : CVE-2019-13476

Description

CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password


Reproduce

  1. login as normal user


  1. Click at Email Accounts under the Email Accounts and click it again like image below


  1. Click add "New MailBox"


  1. add "New mail" and intercept request (use Burp suite for intercept request)


  1. Insert payload at parameter "domain" then click "intercept is on" in burp suite


  1. Payload added success (in mail box panel user it's doesn't exist after add payload XSS but in panel admin it's will exist)


Script change password (PoC.php)


  1. Login as user root (victim) user : root pass : P@ssw0rd


  1. After login we will see the left side tap and click at "Email" then click "Email Accounts" under "Email" like image below


  1. We can see payload


  1. Click any button such as Change Password, Suspend, Delete after click Payload will be executed.


  1. After click it's will be redirect and password has been changed password is "AttackerPassword"


  1. try to login with old password "P@ssw0rd" we got login failed (image below)



  1. Login as root and new password "AttackerPassword"


  1. Login success


Timeline

2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: Advisory published

Discovered by

Pongtorn Angsuchotmetee
Nissana Sirijirakal 
Narin Boonwasanarak