cPanel 9.1.0-R85 Remote File Retrieval

Product:
cpanel.net cPanel Web Host Control Panel

Released:
03/13/2004

Description:
cPanel 9.1.0-R85 is vulnerable to a remote file retrieval vulnerability.

Systems Affected:
cPanel 9.1.0-R85

Technical Description:
Two cPanel programs allow remote users to specify arbitrary files to retrieve from the server. Risk is mitigated because users can only retrieve files from within their user directory. This poses a risk if the administrator has removed the "File Manager" module (note: disabling "File Manager" in WHM only removes the icon from the cPanel front page, not from the webserver entirely), as the user may be able to access files they would otherwise not have the ability to read.

These URLs will retrieve the shadow file from the user's /etc directory (not the system's /etc directory):

  • http://[victim]/frontend/x/cpanelpro/editmsg.html?emaildir=/etc&form=shadow
  • http://[victim]/frontend/x2/err/erredit.html?dir=/etc&file=shadow

Fix/Workaround:
There is currently no vendor fix for this problem.

Vendor Status:
cPanel was contacted on 3/13/2004. Vendor responded on 3/16/2004 that this was not an issue since "File Manager" cannot be disabled.

Contacts:
sullo@cirt.net

References:
Updated information can be found on OSVDB.org under the following entries:

OSVDB-4216 cPanel erredit.html Arbitrary File Access
OSVDB-4217 cPanel editmsg.html Arbitrary File Access
Vulnerabilities: