23 Jun, 2023

Cross-Site Scripting Vulnerability Found in cPanel [CVE-2023-29489]

An exploitable reflected cross-site scripting (XSS) vulnerability has been discovered in certain versions of cPanel and was assigned with CVE-2023-29489. This vulnerability allows attackers to execute arbitrary JavaScript code without requiring authentication. Even if the cPanel management ports are not externally exposed, the XSS vulnerability can still be exploited. Websites on ports 80 and 443 are also susceptible to this vulnerability if they are managed by cPanel. 

If an attacker targets a logged-in cPanel user, they can escalate the XSS vulnerability to execute commands on the system. This allows the attacker to execute arbitrary JavaScript code within the victim’s context on various web server ports, including the default ports used by cPanel. 

Additionally, the “/cpanelwebcall/” directory can be accessed even on ports 80 and 443, as it is proxied to the cPanel management ports by Apache. Consequently, not only can the management ports of cPanel be targeted, but also applications running on ports 80 and 443. 

Exploiting this cross-site scripting vulnerability on the cPanel management ports provides an attacker with the opportunity to hijack a legitimate user’s cPanel session. With control over an authenticated user’s cPanel session, it becomes relatively easy for the attacker to upload a web shell and gain command execution. 

Affected Software: The following versions are affected by this cross-site scripting vulnerability: 

< 11.109.9999.116 

< 11.108.0.13 

< 11.106.0.18 

< 11.102.0.31 

About cPanel  

cPanel is a popular web hosting control panel software widely used in the industry. It provides a user-friendly interface and a range of powerful features for managing web hosting environments. cPanel simplifies the management of websites, domains, email accounts, databases, and other aspects of web hosting. 

With cPanel, website owners and administrators can easily perform tasks such as creating and managing email accounts, setting up domain names, configuring DNS settings, managing file and database backups, installing software applications (such as content management systems), monitoring website statistics, and more. 

The control panel offers a graphical user interface (GUI) that makes it accessible to users without extensive technical knowledge. It provides an intuitive dashboard where users can navigate through various sections and access different settings and tools related to their web hosting environment. 

How to Exploit this Vulnerability 

To exploit this vulnerability, it is crucial to have a controlled testing environment with predefined configurations. However, it is important to note that this vulnerability existed in previous versions of cPanel and has been addressed in the latest updates. To gain practical knowledge and gain a deeper understanding of the complexities associated with this vulnerability, we will search for a host on the Shodan application that has not yet updated to the most recent versions of cPanel. 

Step 1: To find hosts running the cPanel product, please visit the Shodan browser and input the following query: “product:”cPanel” port:2082,2083,2086,2087,2095,2096″. This query will help enumerate hosts that have cPanel installed. 

Note: It is important to remember that we are conducting this search on a non-functional site for demonstration purposes. However, it should be emphasized that all the hosts displayed in the results are live. Any assessment or testing should only be performed with explicit permission from the site owner. Ethical conduct must be maintained, as engaging in unauthorized activities may constitute offensive crimes. 

Step 2: After identifying the hosts running cPanel, proceed to visit the host and attempt to access the “/cpanelwebcall/” path. Once successfully accessed, add the XSS payload “<img%20src=x%20onerror=”prompt(document.domain)”>” to the URL and load the site. Observe that a prompt will appear, confirming the success of our Reflected XSS attempt. This indicates that the cPanel is vulnerable to Reflected XSS. 

Impact of the vulnerability 

The impact of the CVE-2023-29489 vulnerability is significant, as it allows for the execution of arbitrary JavaScript without authentication on various ports of a webserver running cPanel in its default configuration. 

One of the key factors contributing to this vulnerability is the presence of proxy rules, as mentioned in the previous section. These rules enable access to the /cpanelwebcall/ directory on ports 80 and 443, as Apache proxies requests to the cPanel management ports. 

Exploiting this vulnerability grants attackers, the ability to target not only the cPanel management ports but also any applications running on ports 80 and 443. This expands the attack surface and increases the potential impact. 

By exploiting the cross-site scripting (XSS) vulnerability present in the cPanel management ports, attackers can hijack legitimate user sessions, gaining unauthorized access. Once they have assumed the identity of an authenticated cPanel user, the next step is typically to upload a web shell, providing them with command execution capabilities. 

What Mitigations Can be made to fix this vulnerability? 

To mitigate the CVE-2023-29489 vulnerability, it is crucial to upgrade cPanel to one of the following versions or any higher versions: 

11.109.9999.116 

11.108.0.13 

11.106.0.18 

11.102.0.31 

Updating to these versions ensures that the vulnerability is patched, minimizing the risk of exploitation and protecting the webserver and its associated applications from potential compromise. Timely remediation is essential to safeguard systems and maintain a secure environment. 

Other Services

Ready to secure?

Let's get in touch