Top web hosting platform could be easily exploited using these threats

(Image credit: Pixabay)
Audio player loading…

Cybersecurity (opens in new tab) researchers have successfully conducted remote code execution (RCE) and privilege escalation attacks on popular web hosting (opens in new tab) control platform cPanel (opens in new tab) & WHM by exploiting a stored cross-site scripting (XSS) vulnerability.

While cPanel (opens in new tab) is limited to managing a single hosting account, cPanel & WHM allows admins to manage the entire server (opens in new tab)

“Our team has found multiple vulnerabilities in cPanel/WHM during a black-box pentest (opens in new tab), the most important one being a privilege escalation via stored XSS,” shared (opens in new tab) Adrian Tiron, co-founder of cloud security (opens in new tab) firm Fortbridge. 

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

According to Tiron, the researchers were able to exploit the XSS vulnerability to escalate privileges to root.

Ripe for exploit

Whilst disclosing these bugs to the cPanel & WHM team, the Fortbridge team realized that the pentested cPanel account was a reseller (opens in new tab) account with the permission to edit locales, leading them to conclude that the XSS vulnerability discovered during their pestest “is considered a feature, and it was not fixed.”

The second bug is an HTML injection vulnerability. Although Tiron says this vulnerability is enough to bypass the CSRF/referrer leak protection, the process to exploit it is a lot more “convoluted.”

Fortbridge notified cPanel of the vulnerabilities earlier this year, and the popular control panel updated the relevant portions of its documentation (opens in new tab) earlier this month. 

However, cPanel hasn’t yet fixed the flaws, arguing that threat actors must be authenticated to exploit the vulnerability. 

In a conversation (opens in new tab) with The Daily Swig, Cory McIntire, product owner on the cPanel security team, said “the Locale interface can only be used by root and Super Privilege resellers to whom the root must grant this specific ACL to.”

He added that “this is labelled a Super Privilege with a warning icon in the server admins WHM interface, and also flagged as such in the cPanel documentation.”

In terms of protection, McIntire said that Super Privileges should only be given to people you would trust with root on your server.”

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.