Pen testers and vendor disagree over appropriate mitigations

Security researchers have achieved remote code execution (RCE) and privilege escalation on web hosting platform cPanel & WHM via a stored cross-site scripting (XSS) vulnerability.

cPanel & WHM is a suite of Linux tools that enable the automation of web hosting tasks via a graphical user interface (GUI). cPanel is used in the hosting of more than 168,000 websites, according to Datanyze.

During a black-box pen test, RCE was also demonstrated via a “more convoluted” CSRF bypass chained with a cross-site WebSocket hijacking attack that was possible because WebSockets failed to check their requests’ Origin header, according to a technical write-up published by Adrian Tiron, cloud AppSec consultant at UK infosec firm Fortbridge.

The Websocket hijacking attack was tested in Firefox, since Chrome has SameSite cookies enabled by default.

‘Super Privileges’ required

The web hosting firm has not fixed these flaws – it only patched a separate, XXE vulnerability reported by Fortbridge – because attackers must be authenticated with a reseller account with permission to edit locales, which is not a default configuration.

“The Locale interface can only be used by root and Super Privilege resellers that root must grant this specific ACL to,” Cory McIntire, product owner on the cPanel security team, told The Daily Swig.

This is labelled a ‘Super Privilege’ with a warning icon in the server admins WHM interface and also flagged as such in the cPanel documentation, he added.

DON’T FORGET TO READ Top Hacks from Black Hat and DEF CON 2021

“When you expand this icon, it is explained to the server admin that they will be allowed to insert HTML into this interface, as many of our customers expect to be able to do.”

He added: “Again, this is an option root must enable for the reseller and should only be done so for users that are trusted as though you are giving them root to your server.”

‘Secure by default’

However, Tiron believes the XSS “could have been fixed while maintaining the intended functionality”.

He told The Daily Swig: “What they’re saying is correct, in a sense that this covered by the documentation, but just because it’s documented doesn’t make it secure. People don’t often read documentation and they’re not [usually] security experts either, so they won't be able to make the right decision most of the time.

“We’ve seen this approach quite a lot recently, with other vendors we’ve worked with. The correct approach should be ‘secure by default’, not ‘it’s documented, it’s your responsibility now’.”

Catch up on the latest cybersecurity vulnerability news

The researcher suggests the issue could have been completely mitigated “by applying some filtering/encoding on that vulnerable input”.

He added: “Even if they consider the ‘edit locale’ as a ‘super privilege’ this wasn’t clear to us during the pen test and it was definitely not clear to our customer either.”

cPanel’s McIntire said that to protect themselves the server admin would simply have to remove any Locale Super Privileges granted to ‘untrusted’ resellers.

“We appreciate Fortbridge’s responsible disclosure to us and hope that these explanations will ease any worries our customers may have regarding this issue,” he continued.

“It is of upmost importance that you only give Super Privileges to people you would trust with root on your server.”

Tiron said cPanel was notified of the vulnerabilities during May and June of this year.

RECOMMENDED ‘A whole new attack surface’ – Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server