search menu icon-carat-right cmu-wordmark

CERT Coordination Center


cPanel XSRF vulnerabilities

Vulnerability Note VU#584089

Original Release Date: 2008-04-30 | Last Revised: 2008-07-30

Overview

cPanel contains multiple cross-site request forgery (XSRF) vulnerabilities. If successfully exploited, these vulnerabilities may allow an attacker to execute arbitrary commands.

Description

cPanel, a web-based tool that is designed to automate and control web sites and servers, contains multiple cross-site request forgery (XSRF) vulnerabilities. These vulnerabilities may be triggered by a remote attacker who convinces an administrator to browse to a malicious website while logged into their cPanel account.

Impact

An attacker may be able to perform actions that only authorized administrators should be able to execute.

Solution

We are currently unaware of a practical solution to this problem.

Enable referrer checking

Referrer checking may mitigate some XSRF attacks. To enable referrer checking, follow the steps below. Note that referrer checking may cause some applications to fail.

    1. Navigate to Server configuration
    2. Go to Tweak Settings
    3. Go to Security in WebHost Manager 
    4. Check the box and save the page

    Do not browse to untrusted sites

    Administrators can mitigate XSRF vulnerabilities in cPanel and other browser-based tools by not browsing to untrusted websites while logged into their account.

    Vendor Information

    584089
    Expand all

    cPanel Inc.

    Notified:  April 22, 2008 Updated:  April 28, 2008

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    Thanks to Michael Brooks for information that was used in this report.

    This document was written by Ryan Giobbi.

    Other Information

    CVE IDs: CVE-2008-2043
    Severity Metric: 2.25
    Date Public: 2008-04-17
    Date First Published: 2008-04-30
    Date Last Updated: 2008-07-30 19:10 UTC
    Document Revision: 21

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.