Some serious security vulnerabilities exist in the web hosting platform cPanel & WHM allowing for remote attacks. Some of the bugs actually exist because of an intended feature, hence, remain unfixed.
cPanel & WHM Vulnerabilities
Researchers from the UK-based cybersecurity firm Fortbridge have found numerous security issues in the popular web hosting platform.
In a recent blog post, Adrian Tiron, Cloud AppSec Consultant at Fortbridge, explained that exploiting the vulnerabilities allows remote code execution attacks on cPanel & WHM.
Briefly, the researchers spotted the bugs during a black-box pentest of cPanel/WHM that supports entire server administration.
One of the bugs includes an XML External Entity (XXE) that existed in the reseller account the researchers tested. This issue existed since the account had the privileges to edit or add locales in XML/XLF format. Although, exploiting it required the adversary to have an authenticated access with a reseller account since it wasn’t the default configuration.
While trying to exploit that XXE, the researchers found another bug, a stored XSS that would allow an adversary to gain elevated privileges to execute root commands on the server.
Alongside this one, they also spotted another security issue, a CSRF vulnerability. Although, cPanel had a CSRF prevention in place. However, they could bypass this measure by HTML content injection and setting the referrer meta tag to “unsafe-url”.
Consequently, they demonstrated how they could execute a WebSocket hijacking attack to run commands on the server.
Partial Patches Deployed
Upon discovering the bugs, the researchers reached out to cPanel &WHM to report the matter.
However, the vendors mainly fixed the XXE bug only, refusing other patches as they required “super privileges” not available in the default configuration.
According to the vendor’s statement to DailySwig, they have already documented the “super privileges” a reseller account gains. Thus, the onus of server security comes to the users (and not the vendors).
We appreciate Fortbridge’s responsible disclosure to us and hope that these explanations will ease any worries our customers may have regarding this issue.
It is of utmost importance that you only give Super Privileges to people you would trust with root on your server.
Let us know your thoughts in the comments.