cyber security researchers have successfully carried out remote code execution (RCE) and privilege escalation attacks on popular sites. Web hosting control platform cPanel & WHM by exploiting a Cross-Site Stored Scripting (XSS) vulnerability.
While cPanel is limited to managing a single hosting account, cPanel & WHM allows administrators to manage the whole server.
“Our team found several vulnerabilities in cPanel/WHM during a black box pentest, the most important being an elevation of privilege via stored XSS”, share Adrien Tiron, co-founder of cloud security Fortbridge Company.
According to Tiron, researchers were able to exploit the XSS vulnerability to elevate privileges to root.
Ripe for achievement
By disclosing these bugs to the cPanel & WHM team, the Fortbridge team realized that the tested cPanel account was a dealer account with permission to change locales, which led them to conclude that the XSS vulnerability discovered during their pestest “is considered a feature and has not been patched”.
The second bug is an HTML injection vulnerability. Although Tiron claims that this vulnerability is sufficient to bypass CSRF/referrer leak protection, the process to exploit it is much more “convoluted”.
Fortbridge notified cPanel of the vulnerabilities earlier this year, and the popular control panel has updated the relevant parts of its documentation earlier this month.
However, cPanel has yet to patch the flaws, arguing that threat actors must be authenticated to exploit the vulnerability.
In a conversation with The daily sip, Cory McIntire, Product Owner at the cPanel Security Team, said “The Locale interface can only be used by root and Super Privilege resellers to whom the root should grant this specific ACL.
He added that “it is called Super Privilege with a warning icon in the server administrators WHM interface, and also flagged as such in the cPanel documentation.
In terms of protection, McIntire said that Super privileges should only be given to people you trust with root on your server.