SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#584089

cPanel XSRF vulnerabilities

Overview

cPanel contains multiple cross-site request forgery (XSRF) vulnerabilities. If successfully exploited, these vulnerabilities may allow an attacker to execute arbitrary commands.

I. Description

cPanel is a web-based tool that is designed to automate and control web sites and servers.

cPanel contains multiple cross-site request forgery (XSRF) vulnerabilities. These vulnerabilities may be triggered by a remote attacker who convinces an administrator to browse to a malicious web site while logged into their cPanel account.

II. Impact

An attacker may be able to take actions that only authorized administrators should be able to execute.

III. Solution

We are currently unaware of a practical solution to this problem.

Enable referrer checking

Referrer checking may mitigate some XSRF attacks. To enable referrer checking, follow the below steps. Note that referrer checking may cause some applications to fail.

  1. navigate to Server configuration
  2. go to Tweak Settings
  3. go to Security in WebHost Manager
  4. check the box and save the page

Do not browse to untrusted sites

Administrators can mitigate XSRF vulnerabilities in cPanel and other browser-based tools by not browsing to untrusted websites while logged into their account.

Systems Affected
VendorStatusDate Updated
cPanel Inc.Vulnerable28-Apr-2008

References


http://www.rooksecurity.com/blog/?p=7
http://changelog.cpanel.net/
http://www.owasp.org/index.php/Cross-Site_Request_Forgery
http://en.wikipedia.org/wiki/XSRF
http://secunia.com/advisories/30027/

Credit

Thanks to Michael Brooks for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public04/17/2008
Date First Published04/30/2008 03:47:27 PM
Date Last Updated05/13/2008
CERT Advisory 
CVE NameCVE-2008-2043
US-CERT Technical Alerts 
Metric2.25
Document Revision20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader