[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection.

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection.
From: "Zackarin Smitz" <zackerius12@xxxxxxxxxxxxx>
Date: Mon, 06 Jun 2005 13:57:55 +0800

Subject:
Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to
plain-text session credential leakage via script injection.

Severity:
High; Full access to all client functions can be obtained with little effort,
putting entire installations of the software and its users at risk.

Preamble:
(Taken from http://www.lpanel.net/)
Lpanel is a Complete Web Hosting Billing & Automation Suite that installs over
cPanel, WHM.

Created from the ground up from cPanel by web hosting administrators, Lpanel
has everything a cPanel hosting business needs and will ever need. Constantly
expanding to meet the quickly developing web hosting market, Lpanel is the only
complete management solution available today for cPanel web hosts. From
multi-staff tiers, automated signups, reseller management, network utilities,
automated SSL, as well as a full array of ?Added Services? and detailed
efficiency reports - Lpanel is always steps ahead of the rest.

Problem:
Lpanel.NET's Lpanel is vulnerable to plain-text credential leakage due to a bug
in the use of a GET variable within the system. Using this bug maliciously, an
attacker could gain unauthorized access to the plain-text session credentials
of other users in the system. The attacker needs absolutely no access to the
system to exploit this vulnerability. The targeted variable is the ?pid? GET
variable, often sent to view_ticket.php (i.e.
http://yourdomain.com/lpanel/help/view_ticket.php?pid=50). An attacker can
insert malicious URL encoded javascript into the GET variable, and cause view
clients to forfeit their session information to javascript. An example
malicious URL would be:

http://yourdomain.com/lpanel/help/view_ticket.php?pid=%22%3E%3C%2Ftd%3E%3Cscript+language%3Djavascript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

However the above URL does not actually instruct the client's browser to send
out the session information, it merely proves the validity of the
vulnerability. Thus an attacker could persuade an innocent system user to click
the link, and with the appropriate javascript inserted into the URL, have
session information forwarded to themselves, thus giving them access to that
client's session. Once session information was acquired, the attacker would
need simply to insert the user's session information as cookies into their own
browser, and hit the installation of Lpanel, thus gaining full unauthorized
access to the user's account, credentials, and functions.

Workaround:
This bug can be fixed by securing the ?pid? variable before use. An alternative
workaround would be to use another vendor, that secures user input. Perhaps
this vulnerability would've been caught in the initial stages of development
had the product been released open source, making case for one to seek out an
open source solution, or at least a solution with a better proven track record.
?Lpanel is always steps ahead of the rest.? -- Negative.

Vendor Contact:
Lpanel.NET's Lpanel
URL: http://www.lpanel.net/
Email: sales@xxxxxxxxxx (I was unable to find a more relevant email contact)
Mailing Address:
Lpanel.NET
PO Box 940876
Miami, Florida 33194-0056
United States
Phone: 614-441-4838

Disclosure Timeline:
Vendor Notified: June 6, 2005
Public Release: June 6, 2005

About the Author:
The author is in between life paths at the moment, but is currently a software
engineer at a company to remain unnamed. When not at his computer, the author
enjoys doing a great many things, most of which he has lost all time for, or
lacks people to do those things with in his current lifestyle. As such he finds
more time for work, or just visits Blockbuster, and when all else fails,
fabricates reports such as this.

The author is posting this message anonymously in order to avoid potential
legal consequences, although he is having trouble seeing any potential
consequences as feasible, considering the vendor does not release a plain-text
version of their license (the license is actually encoded, and when viewed,
renders a PHP parse error).

Greets:
I'd like to say hi to the team with which I work; you're all great. I'd also
like to say hello to swoolley and tautology.

--
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Re: LSS.hr false positives. (correction)
Next by Date: [Full-disclosure] Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to close any support ticket within the system.
Previous by thread: [Full-disclosure] Re: LSS.hr false positives. (correction)
Next by thread: [Full-disclosure] Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to close any support ticket within the system.
Index(es):
- Date
- Thread