R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Friday, 24th October 2014 @ 12:58:49 GMT 
Reports | Invision Board On Cpanel 5.3.0 CSS
{21st Feb 2003}
Invision web discussion boards/forums (and other similarly coded applications) which are located on hosting accounts set up using Cpanel specifically version "5.3.0-RELEASE #117" and below (other versions have not been tested) are vulnerable to standard CSS (Cross site scripting) attacks due to poor filtering in Cpanels version of Matt Wright's popular formmail.cgi script.  This same CSS problem believed to be specifically for Matt Wright's formmail was posted to Bugtraq on 11/02/03.

Rootsecure.net recently verified this attack against a Cpanel running both a bundled version of Invision board 1.0.1 and a custom installed 1.1a.  It should be noted that this is no fault with Invisions product, as with most other web applications cookies are assumed to be private and unknown to outside parties.  It is also difficult to implement additional verification to prevent this attack being successful.

If successfully exploited, an attacker is able to have full control over the users accounts, and if that user has moderator status so will the attacker.  At this point administrative access can not be gained due to an additional separate session based authentication system on the admin module.  However if the attack was carried out against a user with administrative access rights, the attacker may try brute forcing the users MD5 hash (6 or less characters on a reasonable spec'ed machine will take an hour or so, anything bigger and your looking it days) with a utility such as mdcrack.

Mitigating circumstances for the targeted user:
* Must have autologon enabled
* Has to visit a page set by the attacker (unless the board has HTML enabled)
* Most likely must be using Internet Explorer 6.0 due to its lax processing of Java Script code which does not adhere to standards.
* Must have Java Script turned on (configurations other than default have not been tested)

Requirements for the attacker to implement the attack from scratch:
* An understanding of the HTTP protocol
* A server supporting a scripting language such as Perl
* Access to a LAN with knowledge of using a Port Sniffer such as ethereal
(for gathering raw HTTP traffic to use as a template for the attack)

Note: This report is intentionally a brief outline of the process used by Rootsecure.net to gain authorised access to an account for which it did not know the password.  More details may be forthcoming depending on the availability / implementation of patches for this issue.

Cpanel the vendor was informed about this issue on 21/02/03 by Rootsecure.net.  Soon after an email was received asking for specific details of the attack, which were provided.  Rootsecure.net now awaits a response as to its query on a patch for it.

Update: Cpanel are having difficulties reproducing the issue, Rootsecure.net is providing assistance.

Thanks to Epiphany of port7alliance.com for his assistance.