The unprivileged user portal part of CentOS Web Panel is affected by SQL Injection and Command Injection vulnerabilities, leading to root Remote Code Execution.
“CentOS Web Panel – a Free Web Hosting control panel designed for quick and easy management of (Dedicated & VPS) servers minus the chore and effort to use ssh console for every time you want to do something, offers a huge number of options and features for server management in its control panel package”. For more information visit http://centos-webpanel.com/.
During the password reset procedure, which is available by default at
http://cwp.local:2083/login/index.php?acc=newpass, it is possible to inject additional SQL query parameters via the
idsession HTTP POST parameter.
By injecting additional query results, it is possible to inject shell commands in the subsequent
shell_exec call and gain complete control over the CentOS Web Panel host (it runs with root privileges).
A remote unauthenticated attacker can gain root remote access to the CentOS Web Panel host.
Upgrade to the latest version of CentOS Web Panel available. (Note: the affected code is not versioned and we didn’t verify the patch.)
This advisory was first published on https://www.shielder.it/advisories/centos-web-panel-idsession-root-rce/
12 April 2021