Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-13477: CentOS-Control-Web-Panel-CVE/CVE-2019-13477.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.

CVE
#xss#csrf#vulnerability#web#php#jira

Information

Product             : CWP Control Web Panel
Vulnerability Name  : Cross Site Scripting
version             : 0.9.8.837
Fixed on            : 0.9.8.851
Test on             : CentOS 7.6.1810 (Core)
Reference           : http://centos-webpanel.com/
                    : https://control-webpanel.com/changelog
CVE-Number          : CVE-2019-13476

Description

CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password

Reproduce

  1. login as normal user
  1. Click at Email Accounts under the Email Accounts and click it again like image below
  1. Click add “New MailBox”
  1. add “New mail” and intercept request (use Burp suite for intercept request)
  1. Insert payload at parameter “domain” then click “intercept is on” in burp suite
  1. Payload added success (in mail box panel user it’s doesn’t exist after add payload XSS but in panel admin it’s will exist)

Script change password (PoC.php)

  1. Login as user root (victim) user : root pass : P@ssw0rd
  1. After login we will see the left side tap and click at “Email” then click “Email Accounts” under “Email” like image below
  1. We can see payload
  1. Click any button such as Change Password, Suspend, Delete after click Payload will be executed.
  1. After click it’s will be redirect and password has been changed password is “AttackerPassword”
  1. try to login with old password “P@ssw0rd” we got login failed (image below)
  1. Login as root and new password “AttackerPassword”
  1. Login success

Timeline

2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: Advisory published

Discovered by

Pongtorn Angsuchotmetee
Nissana Sirijirakal 
Narin Boonwasanarak

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907