Researchers have discovered two serious security holes in the Control Web Panel that might be used as part of an attack chain to execute pre-authenticated remote code on affected servers.
The vulnerability, identified as CVE-2021-45467, is a file inclusion vulnerability that occurs when a web application is tricked into exposing or running arbitrary files on the webserver.
Control Web Panel, formerly CentOS Web Panel, is a free and open-source Linux control panel software used to set up web hosting environments.
According to Octagon Networks' Paulos Yibelo, who discovered and reported the flaws, the problem arises when two of the application's unauthenticated PHP pages — "/user/login.php" and "/user/index.php" — fail to sufficiently validate a way to a script file.
This means that all an attacker needs to do to exploit the vulnerability is change the include statement, which is used to include the content of one PHP file into another PHP file, to infiltrate malicious code from a sheltered resource and gain code execution.
While the application had protection in place to flag tries to switch to a parent directory as a "hacking attempt," it did nothing to avert the PHP interpreter from receiving a specially formulated string such as ".$00." and actually performing a full bypass.
This not only permits a bad actor to gain entry to restricted API endpoints but it can also be combined with an arbitrary file write vulnerability (CVE-2021-45466) to gain full remote code execution on the server, as shown below —
- Send a file inclusion payload powered by null bytes to include the malicious API key.
- To register to a file, utilize the API key (CVE-2021-45466)
- Include the file we just constructed in (CVE-2021-45467)
If you have any concerns about Critical flaws in the Control Web Panel, please contact us. Please contact Airzero sec if you have any questions or concerns.