FortBridge security researchers recently achieved remote code execution and privilege escalation on cPanel, the popular web hosting control panel software, and WHM using a stored cross-site scripting (XSS) flaw.
cPanel Flaws Discovered During Black-Box Pentest
The team discovered multiple vulnerabilities in cPanel/WHM during a black-box pentest. The most crucial of the bugs is a privilege escalation via stored XSS. Apparently, the pentested cPanel account was in fact a reseller account with the permission to edit locales. Furthermore, the XSS flaw is considered a feature, and it wasn’t fixed. The researchers’ report shows how this “feature” can be abused to escalate privileges to root.
The researchers also demonstrated remote code execution that can be achieved via a “more convoluted” CSRF bypass chained with a cross-site WebSocket hijacking attack which was possible due to WebSockets failure to check their requests’ Origin header. Since Chrome has SameSite cookies enabled by default, this attack was tested in Firefox.
Has cPanel fixed the issues?
The web hosting company hasn’t addressed the aforementioned vulnerability. It did, however, fix a separate, XXE vulnerability also disclosed by Fortbridge. The reason? Attackers need to be authenticated with a reseller account with permission to edit locales, a configuration that doesn’t come by default.
In a conversation with The Daily Swig, Cory McIntire, product owner on the cPanel security team, said that “the Locale interface can only be used by root and Super Privilege resellers that root must grant this specific ACL to.” He also added that “this is labelled a Super Privilege with a warning icon in the server admins WHM interface and also flagged as such in the cPanel documentation.
In terms of protection, McIntire said that the server admin would need to remove any Locale Super Privileges granted to ‘untrusted’ resellers.
“We appreciate Fortbridge’s responsible disclosure to us and hope that these explanations will ease any worries our customers may have regarding this issue,” he added.
“It is of upmost importance that you only give Super Privileges to people you would trust with root on your server.”
cPanel was notified of the vulnerabilities during May and June 2021. Full technical disclosure is available in Fortbridge’s write-up.