Tag Archives: RCE

Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks

CentOS Web Panel

Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers.

Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on the web server.

Control Web Panel, previously CentOS Web Panel, is an open-source Linux control panel software used for deploying web hosting environments.

Automatic GitHub Backups

Specifically, the issue arises when two of the unauthenticated PHP pages used in the application — “/user/login.php” and “/user/index.php” — fail to adequately validate a path to a script file, according to Octagon Networks’ Paulos…


Source link

Web hosting platform cPanel & WHM is vulnerable to authenticated RCE


Adam Bannister

11 August 2021 at 10:58 UTC

Updated: 11 August 2021 at 11:02 UTC

Pen testers and vendor disagree over appropriate mitigations

Security researchers have achieved remote code execution (RCE) on web hosting platform cPanel & WHM after bypassing CSRF protections and escalating privileges via a stored cross-site scripting (XSS) vulnerability.

cPanel & WHM is a suite of Linux tools that enable the automation of web hosting tasks via a graphical user interface (GUI). cPanel is used in the hosting of more than 168,000 websites, according to Datanyze.

During a black-box pen test, RCE was also demonstrated via a “more convoluted” cross-site WebSocket hijacking attack that was…


Source link