Headline
CVE-2019-13477: CentOS-Control-Web-Panel-CVE/CVE-2019-13477.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.
Information
Product : CWP Control Web Panel
Vulnerability Name : Cross Site Scripting
version : 0.9.8.837
Fixed on : 0.9.8.851
Test on : CentOS 7.6.1810 (Core)
Reference : http://centos-webpanel.com/
: https://control-webpanel.com/changelog
CVE-Number : CVE-2019-13476
Description
CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password
Reproduce
- login as normal user
- Click at Email Accounts under the Email Accounts and click it again like image below
- Click add “New MailBox”
- add “New mail” and intercept request (use Burp suite for intercept request)
- Insert payload at parameter “domain” then click “intercept is on” in burp suite
- Payload added success (in mail box panel user it’s doesn’t exist after add payload XSS but in panel admin it’s will exist)
Script change password (PoC.php)
- Login as user root (victim) user : root pass : P@ssw0rd
- After login we will see the left side tap and click at “Email” then click “Email Accounts” under “Email” like image below
- We can see payload
- Click any button such as Change Password, Suspend, Delete after click Payload will be executed.
- After click it’s will be redirect and password has been changed password is “AttackerPassword”
- try to login with old password “P@ssw0rd” we got login failed (image below)
- Login as root and new password “AttackerPassword”
- Login success
Timeline
2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: Advisory published
Discovered by
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak