Affected Versions:
CPanel 11. x vulnerability description:
Bugtraq id: 37394
CPanel is a Web-based tool used to automatically control websites and servers.
CPanel does not properly filter the fileop parameters submitted to frontend/x3/files/fileop.html and returns them to the user. Remote attackers can execute cross-site scripting attacks by submitting malicious parameter requests, execute arbitrary code in the user's browser session. <* Reference
R7e@HoTMaiL.coM (RENO)
Http://secunia.com/advisories/37826/
*>
Test method:
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! Http://www.example.com: 2082/frontend/x3/files/fileop.html? Opdir = [PATH] & amp; opfile = [FILENAME] & amp; fileop = XSS
The http://www.example.com: 2082/frontend/x3/files/dofileop.html? Fileop = & amp; opdir = & amp; opfile = & amp; dir = % 2 fhome % 2 fuser % 2 ftmp & amp; fileop = HaCkED % 20by % 20 RENO
Security suggestions:
Vendor patch:
CPanel
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.cpanel.net //