Researchers have discovered two severe security flaws in the CentOS Web Panel that might be used as part of an exploit chain to gain pre-authenticated remote code execution on affected hosts.
Control Web Panel, formerly CentOS Web Panel, is a free and open-source Linux control panel for setting up web hosting settings.
The vulnerability, which has been assigned the number CVE-2021-45467, is a file inclusion vulnerability, which happens when a web app is tricked to expose or run arbitrary files on the webserver.
RCE bug chain patched in CentOS Web Panel #cybersecurity #infosec https://t.co/cFjQJIUTJk
— SekureNet (@Sekurenet) January 24, 2022
According to Paulos Yibelo of Octagon Networks, who identified and reported the issues, the problem occurs when two of the application’s unauthenticated PHP pages — “/user/login.php” and “/user/index.php” — fail to sufficiently validate a path to a script file.
This means that an attacker only needs to change the include statement, which is used to incorporate the content of one PHP file into another PHP file, to inject malicious code from a remote resource and gain code execution.
Interestingly, while the program had protections in place to signal attempts to switch to a parent directory (denoted by “..”) as a “hacking attempt,” it did nothing to stop the PHP interpreter from accepting a specifically generated text. “$00.” and effectively bypassing the application.
This not only allows a bad actor to acquire access to restricted API endpoints but can also be combined with an arbitrary file write vulnerability (CVE-2021-45466) to gain complete remote code execution on the server.
The CWP maintainers have since corrected the problems with fixes released earlier this month, following appropriate disclosure.
