[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] cgiemail (included with cPanel) local file inclusion vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] cgiemail (included with cPanel) local file inclusion vulnerability
From: Finbar Crago <finbar.crago@xxxxxxxxx>
Date: Wed, 19 Oct 2016 07:02:17 +1100

cgiecho a script included with cgiemail will return any file under a
websites document root if the file contains square brackets and the
text within the brackets is guessable.

e.g: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass'] will
display http://hostname/login.php if it contains $_POST['pass']

This behaviour is listed as a 'small risk' in the original
documentation (and back in 1998 it probably was). The issue is that
cgiemail is still shipped with cPanel (enabled by default) and while
they acknowledge the risks in the hosting administration panel i am
unable to find any reference to this on the hosting client side.

Considering how wide spread cPanel usage is and how easy this is to
exploit i feel it should have a little more exposure...

http://web.mit.edu/wwwdev/cgiemail/webmaster.html#security
http://documentation.cpanel.net/display/1144Docs/Tweak+Settings+-+Security#TweakSettings-Security-CGIEmailandCGIEcho

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] [ERPSCAN-16-030] SAP NetWeaver - buffer overflow vulnerability
Next by Date: [FD] Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles
Previous by thread: [FD] [ERPSCAN-16-030] SAP NetWeaver - buffer overflow vulnerability
Next by thread: [FD] Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles
Index(es):
- Date
- Thread