Vulnerability Details :
Type: UI and Permissions Issue
Vulnerable Module: Cpanel File Manager Compress.
Details & Impact : Cpanel File Manager has File/Directory Compression functionality. This function is vulnerable to a critical security issue. Basically, any normal cpanel user while taking file backups select all the files and hit compress. Now the file name is automatically named as the first folder of the directory (ex .well-known) and the file permission is set to 644 which means anyone with the link can download the zip file.
Unlike other web hosting management application cPanel doesn’t ask the users to must enter a file name which makes the whole website vulnerable to source code dump.
I have collected a few technical vectors (based on common directory names) for a wordpress based website . Here is list of them :
[pastacode lang=”markup” manual=”.well-known%0Acgi-bin%0Abackup%0Asite_backup%0Abk%0Adsa%0Awp-admin%0Awp-content%0Awp-includes%0Aapp%0Adb” message=”” highlight=”” provider=”manual”/]
and few extensions.
[pastacode lang=”markup” manual=”.zip%0A.tar%0A.tar.gz%0A.tar.bz2″ message=”” highlight=”” provider=”manual”/]
based on the above information and the bug itself, i wrote a php exploit. which scan a list of domains for above vectors and return the file dump URLs .
I ran this test on random 1000 wp based urls and 18 out of those URLs were vulnerable to source code dump due to this bug with just 11 vectors of directory names.
Impact is quite serious. It’s easy to dork millions of wp or normal websites using cpanel and dump the source codes due to this issue.
I reported this bug to cPanel under their Responsible Disclosure Program but they are not willing to fix it and I am not willing to convince them to fix it.
Exploit Code here is available on github here :
Thank you for reading.
Keep learning 🙂