cPanel: A Widely Used Web Hosting Control Panel Software
cPanel, a popular web hosting control panel software, is a prevalent choice for many websites on the internet. As of now, there are approximately 1.4 million installations of cPanel exposed on the external internet. This software plays a vital role in managing websites, but it is not without its vulnerabilities.
A Major Security Concern: Reflected Cross-Site Scripting Vulnerability
Recently, we discovered a significant security flaw in cPanel—an exploitable reflected cross-site scripting vulnerability. What makes this vulnerability particularly concerning is that it can be exploited without any authentication. Even if the cPanel management ports (2080, 2082, 2083, 2086) are not exposed externally, the XSS vulnerability can still affect your website on ports 80 and 443 if it is managed by cPanel.
Not So Worrisome: Auto-Update Functionality
If you’re worried about your website being affected by this vulnerability, take a deep breath. Many cPanel installations on the internet have cPanel’s auto-update functionality enabled. This means that you may no longer be vulnerable without having to manually patch yourself. However, if you haven’t set up this feature, we recommend following the instructions provided in this link to enable it.
Always Prioritizing Security: Our Commitment to Our Customers
At ProgramMatek, we prioritize the security of our customers. As a part of our Attack Surface Management platform, we keep a close eye on any vulnerabilities affecting our customers. Our dedicated team conducts original security research to inform our customers promptly about any zero-day vulnerabilities.
Stay Informed: Read cPanel’s Official Advisory
To stay updated on the latest information regarding cPanel vulnerabilities, we suggest reading cPanel’s official advisory. It provides essential details and guidance on how to address any security concerns.
A Historic Software: The Age of cPanel
cPanel has a long-standing history, dating back to its inception in 1996. As an SEO specialist, I’ve audited various software over the years, and cPanel is one of the oldest pieces of software I’ve encountered. Its age means that it relies on certain paradigms and technologies that are not necessarily cutting-edge. Perl is widely used throughout cPanel, and some parts are even Perl compiled into binaries.
Exploring the Attack Surface: Digging into cPanel’s Binaries
During our analysis of cPanel, we explored the binaries located in the /cgi-sys/ directory on cPanel’s management ports. These binaries consist of Perl code compiled into binaries that are intended to be remotely accessible via HTTP requests. While we found several potential avenues for exploitation, we also discovered that mitigations had been implemented to prevent successful exploitation of these vulnerabilities.
Another Important Component: cpsrvd Binary
Apart from the binaries in the /cgi-sys/ directory, cPanel’s core functionalities and web application are serviced through the cpsrvd binary. This binary listens on various ports, including 2082, 2086, 2083, and 2087. Understanding the configuration and inner workings of cpsrvd provides valuable insights into cPanel’s attack surface.
Apache’s Reverse Proxy and Attack Surface Clues
cPanel leverages Apache’s reverse proxy functionalities, as evident from the configuration file /etc/apache2/conf/httpd.conf. This file reveals numerous proxy rules and script aliases, shedding light on interesting attack surface areas. If you’re considering auditing cPanel, we recommend thoroughly examining these proxy rules as a starting point.
Unveiling the Source: Exploring /usr/local/cpanel/
Fortunately, cPanel ships with a significant portion of its source code, which can be found at /usr/local/cpanel/ in a post-installation cPanel instance. While most of the binaries reside in this directory, you can still gain valuable insights into cPanel’s logic by examining its libraries and Perl code.
Understanding the Routing: Httpd.pm and comet.pm
To comprehend cPanel’s routing, we delved into Cpanel/Server/Handlers/Httpd.pm, which contains specific handling of certain paths. This insight allowed us to map out and understand pre-authentication attack surface areas without fully comprehending the binaries.
The Power of Httpd.pm: Functionalities Unveiled
Inside Httpd.pm, we discovered various functionalities, including:
- Handling subdomain/hostname-based routing to certain services, such as cpcalendars, cpcontacts, autodiscover, and autoconfig.
- Managing static paths like /img-sys/ and /sys_cpanel/.
- Handling redirects for /cpanel, /whm, and /webmail.
- Managing BoxTrapper requests via /cgi-sys/bxd.cgi.
- Handling Dynamic DNS-related functionality, specifically calls to /cpanelwebcall/.
Hopeful Searches: Time Spent Exploring comet.pm
Aside from Httpd.pm, we also dedicated considerable time to exploring Cpanel/Server/Handlers/comet.pm, which handles websocket messages. Although we discovered intriguing functionality that seemed to indicate the potential for arbitrary file write, we were unable to find a sink with meaningful control during our research.
The Sink of Vulnerability: _serve_cpanelwebcall
Our investigation led us to an important function, _serve_cpanelwebcall, which handles paths starting with /cpanelwebcall/. This function, in turn, calls Cpanel::Server::WebCalls::handle, which we identified as the vulnerability’s sink.
The Vulnerable Sink: Cpanel::Server::WebCalls::handle
Within Cpanel::Server::WebCalls::handle, we observed a variable called message_html that serves as the sink for this vulnerability. Unfortunately, in vulnerable versions of cPanel, this variable is not sanitized.
The Patch: Resolving the Vulnerability
To address this vulnerability, cPanel released a fix in several versions, including:
Timeline of Disclosure
Here’s a timeline of the disclosure process:
- Jan 23rd, 2023: Disclosure of the XSS vulnerability to cPanel via [email protected]
- Jan 23rd, 2023: Confirmation of vulnerability receipt from cPanel, initiating further investigation.
- Feb 12th, 2023: Request for updates from Assetnote.
- Feb 13th, 2023: cPanel confirms vulnerability (assigned SEC-669) and plans a targeted security fix release in a few weeks.
- March 1st, 2023: Vulnerability fixed and publicly disclosed on cPanel’s website.
cPanel and Security: A Collaborative Effort
We had a positive experience working with cPanel, who promptly remediated the issue following its disclosure. However, considering the vast attack surface of cPanel, we believe it requires more attention from the security researcher community. While we found mitigations and protections in place, we strongly suspect that there are more significant bugs within the Perl-compiled binaries.
Auto-Updates: A Crucial Mitigation
Interestingly, cPanel was one of the first vendors we encountered with a working and mostly default implementation of auto-updates for their software. This mitigation alone has protected a majority of cPanel websites from this vulnerability in the wild. Despite this, many cPanel websites remain vulnerable due to the absence of the auto-update feature.
Stay Secure with ProgramMatek
At ProgramMatek, we strive to deliver the highest level of security to our valued customers. As a leading provider in the industry, we continuously monitor and assess vulnerabilities like those affecting cPanel. Rest assured that we are committed to keeping your online presence safe and secure.
ProgramMatek: Your Trusted Partner in Web Security