[Full-disclosure] Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to respond to any support ticket on the system.

["Zackarin Smitz" <zackerius12@xxxxxxxxxxxxx>]

Subject:
Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in 
that it allows an attacker to respond to any support ticket on the system.


Severity:
Average; Depending upon how the attacker exploits this, this vulnerability 
could be extremely severe, but for the most part is average, and can only cause 
frustration and confusion among the support department.


Preamble:
(Taken from http://www.lpanel.net/)
Lpanel is a Complete Web Hosting Billing & Automation Suite that installs over 
cPanel, WHM.

Created from the ground up from cPanel by web hosting administrators, Lpanel 
has everything a cPanel hosting business needs and will ever need. Constantly 
expanding to meet the quickly developing web hosting market, Lpanel is the only 
complete management solution available today for cPanel web hosts. From 
multi-staff tiers, automated signups, reseller management, network utilities, 
automated SSL, as well as a full array of ?Added Services? and detailed 
efficiency reports - Lpanel is always steps ahead of the rest.


Problem:
The file view_ticket.php displays a form to the user, that allows responses to 
be posted to tickets. However the ?pid? POST variable is not authenticated 
against the current session after being posted. As such, an attacker could 
modify the form displayed by this file (i.e. 
http://yourdomain.com/lpanel/help/view_ticket.php?pid=50), and merely change 
the action attribute of the form element to a full URI, and also change the 
support ticket ID represented by the ?pid? POST variable to the support ticket 
the attacker wishes to respond to. The attacker must have an unprivileged user 
account on the system. Once the form has been modified, a simple post will 
render a response to the support ticket specified by ?pid?.


Workaround:
This bug can be fixed by checking that the ?pid? GET variable actually 
represents a support ticket owned by the user of the current session.


Vendor Contact:
Lpanel.NET's Lpanel
URL: http://www.lpanel.net/
Email: sales@xxxxxxxxxx (I was unable to find a more relevant email contact)
Mailing Address:
  Lpanel.NET
  PO Box 940876
  Miami, Florida 33194-0056
  United States
Phone: 614-441-4838


Disclosure Timeline:
Vendor Notified: June 6, 2005
Public Release: June 6, 2005


About the Author:
The author is in between life paths at the moment, but is currently a software 
engineer at a company to remain unnamed. When not at his computer, the author 
enjoys doing a great many things, most of which he has lost all time for, or 
lacks people to do those things with in his current lifestyle. As such he finds 
more time for work, or just visits Blockbuster, and when all else fails, 
fabricates reports such as this.

The author is posting this message anonymously in order to avoid potential 
legal consequences, although he is having trouble seeing any potential 
consequences as feasible, considering the vendor does not release a plain-text 
version of their license (the license is actually encoded, and when viewed, 
renders a PHP parse error).


Greets:
I'd like to say hi to the team with which I work; you're all great. I'd also 
like to say hello to swoolley and tautology.

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/