2009-05-03 00:05:56

Thu, 12 Mar 09 17:06:33 -0600

My server (run by HostGator) has cPanel installed by default.

For those of you that don't know, cPanel is a server management software that makes normal server tasks very, very simple.

For example, if I wanted to password protect a directory, or make a sub domain, it is just a few clicks away. This is highly convenient.

However, in all my life, all my pen testing, all my hacking life, I have never seen a more critically vulnerable web application.

Honestly, where do I begin?

cPanel installs several "helpful" cgi scripts by default. Most of these "helpful" applications are hideously insecure. XSS, CSRF, SQL injection, buffer overflows, you name it, its there.

cPanel its self can run as root on a server, or at least runs as admin. This is good, because it allows it to do normal administrative tasks, the issue is, it has massive, overly simplistic CSRF exploits. On literally every task with the exception of password changing, because you have to enter the old password.

In other words, an entire server can be ROOTED via CSRF.

I have never in my life seen something like CSRF lead to root so quickly.
How?

CSRF on the file manager can easily upload a php shell. Or, more directly, CSRF can make a cron job. Something like "rm -rf /*" Would delete your root directory.

Seriously, don't use cPanel for any reason. I have no doubt that there are other server management tools out there that do not fail so badly that they will bruise fruit, frighten children, and ruin your life forever.