Vendor patched the vulnerability in October after a red team alert
A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).
The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.
CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.
Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.
The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.
Double quotes problem
The flaw resides in the /login/index.php component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
According to Türle, it resulted from CWP using the following structure to log incorrect entries: echo "incorrect entry, IP address, HTTP_REQUEST_URI" >> /blabla/wrong.log
“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as $(blabla), which is a bash feature,” he said.
“They have made the request URI into escapeshellarg, but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”
Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.
“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.
CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full report to the CWP team on 22.10.2022. The CWP team submitted a special version within two days and we confirmed that we were able to reproduce the vulnerability and submitted a new report.”
Türle praised CWP’s security team for a “very fast fix”.
“While vulnerabilities that I have previously communicated to other companies can take almost one to three months, the CWP team closed the vulnerability in two days,” he added.
The Daily Swig has contacted CWP for comment and will update this article accordingly if they do so.