Cyber Security

Exploit drops for remote code execution bug in Control Web Panel

A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).

The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.

CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.

The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.

Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.

The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.

Double quotes problem

The flaw resides in the /login/index.php component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

According to Türle, it resulted from CWP using the following structure to log incorrect entries: echo “incorrect entry, IP address, HTTP_REQUEST_URI” >> /blabla/wrong.log

“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as $(blabla), which is a bash feature,” he said.

“They have made the request URI into escapeshellarg, but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”

Timeline

Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.

“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.

CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full report to the CWP team on 22.10.2022. The CWP team submitted a special version within two days and we confirmed that we were able to reproduce the vulnerability and submitted a new report.”

Türle praised CWP’s security team for a “very fast fix”.

“While vulnerabilities that I have previously communicated to other companies can take almost one to three months, the CWP team closed the vulnerability in two days,” he added.

Advertisement. Scroll to continue reading.

The Daily Swig has contacted CWP for comment and will update this article accordingly if they do so.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/exploit-drops-for-remote-code-execution-bug-in-control-web-panel

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version