Security
Headlines
HeadlinesLatestCVEs

Headline

Exploit drops for remote code execution bug in Control Web Panel

Vendor patched the vulnerability in October after a red team alert

PortSwigger
#vulnerability#web#linux#git#rce#auth#zero_day

Adam Bannister 06 January 2023 at 15:40 UTC

Vendor patched the vulnerability in October after a red team alert

A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).

The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.

CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.

DON’T MISS Tell us what you think of The Daily Swig to be in with a chance of winning Burp Suite swag

The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.

Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.

The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.

Double quotes problem

The flaw resides in the component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

According to Türle, it resulted from CWP using the following structure to log incorrect entries:

“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as , which is a bash feature,” he said.

“They have made the request URI into , but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”

Timeline

Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.

“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.

CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full report to the CWP team on 22.10.2022. The CWP team submitted a special version within two days and we confirmed that we were able to reproduce the vulnerability and submitted a new report.”

Türle praised CWP’s security team for a “very fast fix”.

“While vulnerabilities that I have previously communicated to other companies can take almost one to three months, the CWP team closed the vulnerability in two days,” he added.

The Daily Swig has contacted CWP for comment and will update this article accordingly if they do so.

YOU MAY ALSO LIKE Tesla tackles CORS misconfigurations that left internal networks vulnerable

Related news

Control Web Panel Unauthenticated Remote Command Execution

Control Web Panel versions prior to 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.

Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability

Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022. Control

Control Web Panel 7 Remote Code Execution

Control Web Panel 7 versions prior to 0.9.8.1147 suffer from an unauthenticated remote code execution vulnerability.

CVE-2022-44877: # Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig