Remote code execution (RCE) and privilege escalation on web hosting platform cPanel & WHM have been discovered by security researchers during a black-box penetration testing. cPanel is a part of a software suite which is called cPanel & WHM. While cPanel offers managing capabilities for a single hosting account, cPanel & WHM allows users to control the entire server.
XSS vulnerability
Adrian Tiron, a cloud application security marketing consultant at UK infosec agency Fortbridge, published a post on multiple vulnerabilities in cPanel & WHM. Fortbridge team discovered multiple vulnerabilities during the pentest. The most important one is a privilege escalation via stored XSS. This XSS vulnerability gives users the ability to escalate privilege and execute commands on the server as root.
Tiron explained the XSS vulnerability, saying,
Whilst disclosing these bugs to the cPanel/WHM team, we discovered the pentested cPanel account was a reseller account with the permission to edit locales; thus, this is not a default setting. The XSS vulnerability which we will present is considered a feature, and it was not fixed.
The second important one is an HTML injection vulnerability. According to Fortbridge’s team, this vulnerability is enough to bypass the CSRF/referrer leak protection. The researcher recommends applying some filtering/encoding on the vulnerable input for mitigating this vulnerability.
cPanel’s release manager Cory McIntire talked about the vulnerability, saying,
“To protect themselves, the server admin would simply have to remove any Locale Super Privileges granted to ‘untrusted’ resellers. We appreciate Fortbridge’s responsible disclosure to us and hope that these explanations will ease any worries our customers may have regarding this issue.”
cPanel updated its documentation titled “Edit Reseller Nameservers and Privileges” on 5th of August. Users can set cPanel account creation limits and quotas for resellers. Tiron added that cPanel was notified of the vulnerabilities during May and June of this year.