|
|
>> cPanel Cross Site Scripting and Request Forgery Vulnerabilities
|
Title : cPanel Cross Site Scripting and Request Forgery Vulnerabilities
VUPEN ID : VUPEN/ADV-2008-1522
CVE ID : CVE-2008-2070 - CVE-2008-2071
Rated as : Moderate Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2008-05-14
|
Two vulnerabilities have been identified in cPanel, which could be exploited by attackers to execute arbitrary scripting code or manipulate certain data.
The first issue is caused by input validation errors in various scripts (e.g. "scripts2/knowlegebase", "scripts2/changeip" and "scripts2/listaccts") when processing user-supplied data, which could be exploited by attackers to cause arbitrary scripting code to be executed by a user's browser in the security context of an affected Web site.
The second vulnerability is caused by input validation errors in the web interface when processing HTTP requests, which could be exploited to conduct cross site request forgery attacks and e.g. add new users or restart a service by tricking a user into visiting a specially crafted web page.
Affected Products
cPanel versions 11.x
Solution
Upgrade to the latest version :
https://www.cpanel.net/support/downloads/downloads.htm
References
http://www.vupen.com/english/advisories/2008/1522
Credits
Vulnerabilities reported by Matteo Carli.
ChangeLog
2008-05-14 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
