Advisory Text :  

1. DESCRIPTION OF THE SOFTWARE

cPanel is a hosting automation tool.
WHM interface provides access to the heart of the cPanel and WHM
package
and allows a Server Administrator to simply configure a few options and
be on their way to hosting web sites.

2. DESCRIPTION OF THE VULNERABILITY

There are XSS (identified by CVE-2008-2070) and CSRF (identified by
CVE-2008-2071) vulnerabilities on cPanel software.

On WHM there is a simple pattern for XSS defense, but this function
is not well implemented so it's possible to bypass it using a simple
cheat. This is a simple proof of concept:

>><<<<<<<<<<<<script src="http://malicious.site/code.js" a=>>>>>>>><

In this way the function don't sanitize the string so it's possible
to inject arbitrary JavaScript/HTML code.

WHM provide, to the administrator or reseller, all function for manage
the server via Web interface but don't protect them against Cross
Request Forgery (CSRF).
To exploit this vulnerability is not necessary to inject any kind of
code to the victim.

XSS and CSRF flaw is more simple to exploit with cPanel XMLAPI [1]
that use Authentication Basic of WHM (This API works on the same domain
and port of WHM).

3. ANALYSIS

The XSS flaws are present in any function that manages user input.
An example list of vulnerable functions to XSS are:
* Knowlege Base (/scripts2/knowlegebase?issue=[INJECTION]&domain=)
* Change Ip to domain (/scripts2/changeip?domain=any&user=[INJECTION])
* List user account
(/scripts2/listaccts?searchtype=domain&search=[INJECTION]&acctp=30)

The list above is not complete. It's possible there are other scripts
vulnerable.

The CSRF flaw is in all functions that allow to perfom an action (like
restart of a service or the entire server) with HTTP method.

This vulnerability was tested on WHM 11.15.0 - cPanel 11.18.3-R21703.

4. IMPACT

The XSS can be used for create/modify accounts or retrieve important
informations about them.

With CSRF flaws an attacker can create a new user and gain reseller
privilege to it, restart a service, suspend an account, change the
password of an account and many other really intersting things.
See, for example, "createacct" [2] and "setupreseller" [3] function of
cPanel XML API.

5. SOLUTION

Vendor released a new version where the XSS flaw is resolved and CSRF
mitigated enough to consider it trivial.
Update the cPanel to latest release of yours build.
All 11.18.4+ and 11.22.3+ builds include the patch. [4]

Note that anti-CSRF function use HTTP "Referer" header, please keep in
mind is not difficult for an attacker to modify it in various way.

6. TIME LINE

23/03/2008 - Vulnerability discovered
07/04/2008 - cPanel security team contacted
25/04/2008 - cPanel insert patch in all public builds

7. CVE REFERENCE

CVE-2008-2070 - XSS
CVE-2008-2071 - CSRF

8. REFERENCE

[1] http://www.cpanel.net/plugins/xmlapi/
[2] http://www.cpanel.net/plugins/xmlapi/createacct.html
[3] http://www.cpanel.net/plugins/xmlapi/setupreseller.html
[4] http://changelog.cpanel.net/

--
Matteo Carli